On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote:
> Update the main SELinux manpage to explain that runtime disable (i.e.
> disabling SELinux using SELINUX=Disabled) is deprecated and recommend
> disabling SELinux only via the kernel boot parameter.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++----
> 1 file changed, 22 insertions(+), 4 deletions(-)
>
> diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
> index 31364271..721a65f4 100644
> --- a/libselinux/man/man8/selinux.8
> +++ b/libselinux/man/man8/selinux.8
> @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in
> permissive mode or enforcing mode. The
> .B SELINUX
> variable may be set to
> -any one of disabled, permissive, or enforcing to select one of these
> -options. The disabled option completely disables the SELinux kernel
> +any one of Disabled, Permissive, or Enforcing to select one of these
Is there a reson for these changes?
policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use
capitals:
SELINUX = enforcing | permissive | disabled
> +options. The Disabled option completely disables the SELinux kernel
> and application code, leaving the system running without any SELinux
> -protection. The permissive option enables the SELinux code, but
> +protection. The Permissive option enables the SELinux code, but
> causes it to operate in a mode where accesses that would be denied by
> -policy are permitted but audited. The enforcing option enables the
> +policy are permitted but audited. The Enforcing option enables the
> SELinux code and causes it to enforce access denials as well as
> auditing them. Permissive mode may yield a different set of denials
> than enforcing mode, both because enforcing mode will prevent an
> @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some
> application code will fall back to a less privileged mode of operation
> if denied access.
>
> +.B NOTE:
> +Disabling SELinux by setting
> +.B SELINUX=Disabled
> +in
> +.I /etc/selinux/config
> +is deprecated and depending on kernel version and configuration it might
> +not lead to SELinux being completely disabled. Specifically, the
> +SELinux hooks will still be executed internally, but the SELinux policy
> +will not be loaded and no operation will be denied. In such state, the
> +system will act as if SELinux was disabled, although some operations
> +might behave slightly differently. To properly disable SELinux, it is
> +recommended to use the
> +.B selinux=0
> +kernel boot option instead. In that case SELinux will be disabled
> +regardless of what is set in the
> +.I /etc/selinux/config
> +file.
> +
> The
> .I /etc/selinux/config
> configuration file also controls what policy
> --
> 2.26.2
>
Attachment:
signature.asc
Description: PGP signature
