Update the main SELinux manpage to explain that runtime disable (i.e. disabling SELinux using SELINUX=Disabled) is deprecated and recommend disabling SELinux only via the kernel boot parameter. Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 index 31364271..721a65f4 100644 --- a/libselinux/man/man8/selinux.8 +++ b/libselinux/man/man8/selinux.8 @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in permissive mode or enforcing mode. The .B SELINUX variable may be set to -any one of disabled, permissive, or enforcing to select one of these -options. The disabled option completely disables the SELinux kernel +any one of Disabled, Permissive, or Enforcing to select one of these +options. The Disabled option completely disables the SELinux kernel and application code, leaving the system running without any SELinux -protection. The permissive option enables the SELinux code, but +protection. The Permissive option enables the SELinux code, but causes it to operate in a mode where accesses that would be denied by -policy are permitted but audited. The enforcing option enables the +policy are permitted but audited. The Enforcing option enables the SELinux code and causes it to enforce access denials as well as auditing them. Permissive mode may yield a different set of denials than enforcing mode, both because enforcing mode will prevent an @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some application code will fall back to a less privileged mode of operation if denied access. +.B NOTE: +Disabling SELinux by setting +.B SELINUX=Disabled +in +.I /etc/selinux/config +is deprecated and depending on kernel version and configuration it might +not lead to SELinux being completely disabled. Specifically, the +SELinux hooks will still be executed internally, but the SELinux policy +will not be loaded and no operation will be denied. In such state, the +system will act as if SELinux was disabled, although some operations +might behave slightly differently. To properly disable SELinux, it is +recommended to use the +.B selinux=0 +kernel boot option instead. In that case SELinux will be disabled +regardless of what is set in the +.I /etc/selinux/config +file. + The .I /etc/selinux/config configuration file also controls what policy -- 2.26.2
