From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> The runtime disable functionality has been removed in Linux 6.4. Thus security_disable(3) will no longer work on these kernels. Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- libselinux/include/selinux/selinux.h | 6 +++++- libselinux/man/man3/security_disable.3 | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index 61c1422b..1318a66a 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); /* Get the checkreqprot value */ extern int security_get_checkreqprot(void); -/* Disable SELinux at runtime (must be done prior to initial policy load). */ +/* Disable SELinux at runtime (must be done prior to initial policy load). + Unsupported since Linux 6.4. */ +#ifdef __GNUC__ +__attribute__ ((deprecated)) +#endif extern int security_disable(void); /* Get the policy version number. */ diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 index 072923ce..5ad8b778 100644 --- a/libselinux/man/man3/security_disable.3 +++ b/libselinux/man/man3/security_disable.3 @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from and then unmounts .IR /sys/fs/selinux . .sp -This function can only be called at runtime and prior to the initial policy +This function is only supported on Linux 6.3 and earlier, and can only be +called at runtime and prior to the initial policy load. After the initial policy load, the SELinux kernel code cannot be disabled, but only placed in "permissive" mode by using .BR security_setenforce(3). -- 2.45.1
