On Wed, Aug 19, 2020 at 9:07 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: <snip> > > So I've started to compose Fedora Change proposal > > > > https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE > > > > It's not complete yet, but I believe it contains basic information. I'd > > appreciate if you can help me with text, phrases and references so that it would > > be easy to sell it as security feature to Fedora community :) > > I'd simplify the Summary to be something like "Remove support for > SELinux runtime disable so that the LSM hooks can be hardened via > read-only-after-initialization protections. Migrate users to using > selinux=0 if they want to disable SELinux." FYI, the change proposal has now been announced to the Fedora devel community: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/YQIYMWKFQEWCILU7UZWXO3YFNS2PLDG4/ -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
