On 3/1/2022 2:53 PM, Paul Moore wrote:
We deprecated the SELinux runtime disable functionality in Linux
v5.6, and it is time to get a bit more serious about removing it.
Add a five second sleep to anyone using it to help draw their
attention to the deprecation and provide a URL which helps explain
things in more detail, including how to add kernel command line
parameters to some of the more popular Linux distributions.
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Thank you for pressing on this. FWIW -
Acked-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
security/selinux/selinuxfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index f2f6203e0fff..3739155ee0db 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
* kernel releases until eventually it is removed
*/
pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
+ pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n";);
+ ssleep(5);
if (count >= PAGE_SIZE)
return -ENOMEM;
