On Tue, Jan 7, 2020 at 9:34 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 1/6/20 10:30 PM, Paul Moore wrote: > > Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality. The > > code was originally developed to make it easier for Linux > > distributions to support architectures where adding parameters to the > > kernel command line was difficult. Unfortunately, supporting runtime > > disable meant we had to make some security trade-offs when it came to > > the LSM hooks, as documented in the Kconfig help text: > > > > NOTE: selecting this option will disable the '__ro_after_init' > > kernel hardening feature for security hooks. Please consider > > using the selinux=0 boot parameter instead of enabling this > > option. > > > > Fortunately it looks as if that the original motivation for the > > runtime disable functionality is gone, and Fedora/RHEL appears to be > > the only major distribution enabling this capability at build time > > so we are now taking steps to remove it entirely from the kernel. > > The first step is to mark the functionality as deprecated and print > > an error when it is used (what this patch is doing). As Fedora/RHEL > > makes progress in transitioning the distribution away from runtime > > disable, we will introduce follow-up patches over several kernel > > releases which will block for increasing periods of time when the > > runtime disable is used. Finally we will remove the option entirely > > once we believe all users have moved to the kernel cmdline approach. > > > > Acked-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > > Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> > > checkpatch.pl has two warnings on this patch, one about the new > Documentation/ABI/obsolete/sysfs-selinux-disable file not being listed > in MAINTAINERS (looks like others are) and one about the comment block > style being wrong. Fixed. > Also not entirely sure if the file should be > sysfs-selinux-disable or selinuxfs-disable; it gets mounted under sysfs > but isn't part of it per se. Otherwise, LGTM. I wondered about that too, but decided the selinuxfs vs sysfs distinction didn't matter much here as /sys/fs/selinux *looks* like sysfs to admins/users (outside of the separate mount, but that is typically handled by the distro's init system). Anyway, it's merged into selinux/next now. -- paul moore www.paul-moore.com
