Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux
Currently on Fedora the Security Enhanced Linux (SELinux) functionality that's there by default can be disabled at run-time via the /etc/selinux/config but moving forward with Fedora 34 they are looking at removing that support and focusing just on disabling via selinux=0 at the kernel boot time in order to provide greater security.
At present on Fedora, those wanting to forego the security safeguards can either pass selinux=0 as the kernel command line option to disable the support at boot time or by disabling it within the /etc/selinux/config file that in turn disables the support at run-time.
But that run-time disabling via the etc configuration file is deprecated upstream and comes with a security compromise around the kernel Linux security module (LSM) hooks.
So starting with Fedora 34 the plan being looked at is to disable the run-time disabling support and migrating users to ensuring they are using selinux=0 as the kernel option for disabling SELinux should you not want this feature for performance reasons or other factors. For those with SELinux enabled, this provides further security hardening possibilities.
More details for those interested in this proposed Fedora 34 change via the Fedora Wiki.
At present on Fedora, those wanting to forego the security safeguards can either pass selinux=0 as the kernel command line option to disable the support at boot time or by disabling it within the /etc/selinux/config file that in turn disables the support at run-time.
But that run-time disabling via the etc configuration file is deprecated upstream and comes with a security compromise around the kernel Linux security module (LSM) hooks.
So starting with Fedora 34 the plan being looked at is to disable the run-time disabling support and migrating users to ensuring they are using selinux=0 as the kernel option for disabling SELinux should you not want this feature for performance reasons or other factors. For those with SELinux enabled, this provides further security hardening possibilities.
More details for those interested in this proposed Fedora 34 change via the Fedora Wiki.
29 Comments