On Tue, Jun 2, 2020 at 8:52 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On Tue, Jun 2, 2020 at 8:47 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >
> > We deprecated the SELinux runtime disable functionality in Linux
> > v5.6, add a five second sleep to anyone using it to help draw their
> > attention to the deprecation.
> >
> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > ---
> > security/selinux/selinuxfs.c | 2 ++
> > 1 file changed, 2 insertions(+)
>
> Warning: while trivial, I've done no testing beyond a quick compile
> yet. I'm posting this now to see what everyone thinks about starting
> to make it a bit more painful to use the runtime disable
> functionality.
I'm concerned about how users will experience and respond to this
change (and Linus too). Currently SELinux runtime disable is the
method used by distro installers (at least Fedora/RHEL and
derivatives) when SELinux-disabled is selected at install time and it
is the approach documented in distro documentation for how to disable
SELinux. Hence, we'd be inflicting pain on the end users for what is
essentially a distro choice. I'm not sure those end users will even
realize why they suddenly have a delay in their boot times since they
may not think to look at the kernel boot logs or miss the message
among the numerous messages logged already. I guess the question is
whether there is precedent for adding this kind of delay to call
attention to a need for change by users; if there is, it would be good
if we could cite that precedent in the commit message to help avoid
later complaints. It would also be good if we had a more thorough
wiki page or something that documented for users how to fix the
problem and referred users to that as part of the message (similar to
./arch/x86/kernel/cpu/bugs.c: pr_info("Reading
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
might help you decide.\n");). Just saying add selinux=0 in the
message might not be sufficient since users may not know how to modify
their kernel command line options, especially persistently. Allegedly
the difficulty in updating kernel boot parameters on some platforms
was the original motivation for adding runtime disable instead of just
using selinux=0.
