On Wed, Nov 11, 2020 at 11:07 AM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote: > > Update the main SELinux manpage to explain that runtime disable (i.e. > > disabling SELinux using SELINUX=Disabled) is deprecated and recommend > > disabling SELinux only via the kernel boot parameter. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > --- > > libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++---- > > 1 file changed, 22 insertions(+), 4 deletions(-) > > > > diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 > > index 31364271..721a65f4 100644 > > --- a/libselinux/man/man8/selinux.8 > > +++ b/libselinux/man/man8/selinux.8 > > @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in > > permissive mode or enforcing mode. The > > .B SELINUX > > variable may be set to > > -any one of disabled, permissive, or enforcing to select one of these > > -options. The disabled option completely disables the SELinux kernel > > +any one of Disabled, Permissive, or Enforcing to select one of these > > Is there a reson for these changes? Just for better readability. Although I should probably just mark them up, as in selinux_config(5)... > policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use > capitals: > > SELINUX = enforcing | permissive | disabled Good point, it should be consistent. And also that page will need a similar update. v2 coming soon... > > > +options. The Disabled option completely disables the SELinux kernel > > and application code, leaving the system running without any SELinux > > -protection. The permissive option enables the SELinux code, but > > +protection. The Permissive option enables the SELinux code, but > > causes it to operate in a mode where accesses that would be denied by > > -policy are permitted but audited. The enforcing option enables the > > +policy are permitted but audited. The Enforcing option enables the > > SELinux code and causes it to enforce access denials as well as > > auditing them. Permissive mode may yield a different set of denials > > than enforcing mode, both because enforcing mode will prevent an > > @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some > > application code will fall back to a less privileged mode of operation > > if denied access. > > > > +.B NOTE: > > +Disabling SELinux by setting > > +.B SELINUX=Disabled > > +in > > +.I /etc/selinux/config > > +is deprecated and depending on kernel version and configuration it might > > +not lead to SELinux being completely disabled. Specifically, the > > +SELinux hooks will still be executed internally, but the SELinux policy > > +will not be loaded and no operation will be denied. In such state, the > > +system will act as if SELinux was disabled, although some operations > > +might behave slightly differently. To properly disable SELinux, it is > > +recommended to use the > > +.B selinux=0 > > +kernel boot option instead. In that case SELinux will be disabled > > +regardless of what is set in the > > +.I /etc/selinux/config > > +file. > > + > > The > > .I /etc/selinux/config > > configuration file also controls what policy > > -- > > 2.26.2 > > -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
