On Thu, Sep 10, 2020 at 7:39 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > On Wed, Aug 19, 2020 at 9:07 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > <snip> > > > So I've started to compose Fedora Change proposal > > > > > > https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE > > > > > > It's not complete yet, but I believe it contains basic information. I'd > > > appreciate if you can help me with text, phrases and references so that it would > > > be easy to sell it as security feature to Fedora community :) > > > > I'd simplify the Summary to be something like "Remove support for > > SELinux runtime disable so that the LSM hooks can be hardened via > > read-only-after-initialization protections. Migrate users to using > > selinux=0 if they want to disable SELinux." > > FYI, the change proposal has now been announced to the Fedora devel community: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/YQIYMWKFQEWCILU7UZWXO3YFNS2PLDG4/ Speaking of this, I noticed that Documentation/ABI/README says that files under obsolete should say when to expect the interface to be removed, and at least a couple of them do, e.g. sysfs-class-net-batman-adv:This ABI is deprecated and will be removed after 2021. Should we add similar lines to the two sysfs-selinux-* files, and if so, what target date should we propose for each?
