On Tue, Mar 1, 2022 at 5:53 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> We deprecated the SELinux runtime disable functionality in Linux
> v5.6, and it is time to get a bit more serious about removing it.
> Add a five second sleep to anyone using it to help draw their
> attention to the deprecation and provide a URL which helps explain
> things in more detail, including how to add kernel command line
> parameters to some of the more popular Linux distributions.
>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/selinuxfs.c | 2 ++
> 1 file changed, 2 insertions(+)
Comments are also welcome on the text in the URL shown as part of the
error message below.
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index f2f6203e0fff..3739155ee0db 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
> * kernel releases until eventually it is removed
> */
> pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
> + pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n";);
> + ssleep(5);
>
> if (count >= PAGE_SIZE)
> return -ENOMEM;
>
--
paul-moore.com
