On Thu, Jan 2, 2020 at 10:38 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Thu, Jan 2, 2020 at 4:24 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > On Thu, Dec 19, 2019 at 8:22 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality. The > > > code was originally developed to make it easier for Linux > > > distributions to support architectures where adding parameters to the > > > kernel command line was difficult. Unfortunately, supporting runtime > > > disable meant we had to make some security trade-offs when it came to > > > the LSM hooks, as documented in the Kconfig help text: > > > > > > NOTE: selecting this option will disable the '__ro_after_init' > > > kernel hardening feature for security hooks. Please consider > > > using the selinux=0 boot parameter instead of enabling this > > > option. > > > > > > Fortunately it looks as if that the original motivation for the > > > runtime disable functionality is gone, and Fedora/RHEL appears to be > > > the only major distribution enabling this capability at build time > > > so we are now taking steps to remove it entirely from the kernel. > > > The first step is to mark the functionality as deprecated and print > > > an error when it is used (what this patch is doing). As Fedora/RHEL > > > makes progress in transitioning the distribution away from runtime > > > disable, we will introduce follow-up patches over several kernel > > > releases which will block for increasing periods of time when the > > > runtime disable is used. Finally we will remove the option entirely > > > once we believe all users have moved to the kernel cmdline approach. > > > > > > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> > > > > Looks reasonable, informal ACK from me. > > Thanks. You want to make that a formal ACK? ;) Sure, if you find it useful :) Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
