• Paul Moore's avatar
    selinux: deprecate disabling SELinux and runtime · 89b223bf
    Paul Moore authored
    Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality.  The
    code was originally developed to make it easier for Linux
    distributions to support architectures where adding parameters to the
    kernel command line was difficult.  Unfortunately, supporting runtime
    disable meant we had to make some security trade-offs when it came to
    the LSM hooks, as documented in the Kconfig help text:
    
      NOTE: selecting this option will disable the '__ro_after_init'
      kernel hardening feature for security hooks.   Please consider
      using the selinux=0 boot parameter instead of enabling this
      option.
    
    Fortunately it looks as if that the original motivation for the
    runtime disable functionality is gone, and Fedora/RHEL appears to be
    the only major distribution enabling this capability at build time
    so we are now taking steps to remove it entirely from the kernel.
    The first step is to mark the functionality as deprecated and print
    an error when it is used (what this patch is doing).  As Fedora/RHEL
    makes progress in transitioning the distribution away from runtime
    disable, we will introduce follow-up patches over several kernel
    releases which will block for increasing periods of time when the
    runtime disable is used.  Finally we will remove the option entirely
    once we believe all users have moved to the kernel cmdline approach.
    Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Acked-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
    Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    89b223bf
selinuxfs.c 50 KB