SELinux In Linux 6.4 Removes Run-Time Disabling Support
After being deprecated for several years, Security Enhanced Linux "SELinux" beginning with the Linux 6.4 kernel can no longer be run-time disabled.
For a while now SELinux deprecated run-time disabling for turning off SELinux via its config file or sysfs. By getting rid of the run-time disabling support, SELinux developers can make various improvements currently blocked by this code.
Those wishing to disable SELinux support can still do so via the selinux=0 boot time option or when building the Linux kernel toggling the "CONFIG_SECURITY_SELINUX_DISABLE" Kconfig switch.
The SELinux run-time disabling removal is made as part of this pull request pending for the newly-opened Linux 6.4 merge window.
More details on the technical reasons and other information about this SELinux run-time disable removal via this patch.
For a while now SELinux deprecated run-time disabling for turning off SELinux via its config file or sysfs. By getting rid of the run-time disabling support, SELinux developers can make various improvements currently blocked by this code.
Those wishing to disable SELinux support can still do so via the selinux=0 boot time option or when building the Linux kernel toggling the "CONFIG_SECURITY_SELINUX_DISABLE" Kconfig switch.
* Remove the runtime disable functionality
After several years of work by the userspace and distro folks, we are finally in a place where we feel comfortable removing the runtime disable functionality which we initially deprecated at the start of 2020. There is plenty of information in the kernel's deprecation (now removal) notice, but the main motivation was to be able to safely mark
the LSM hook structures as '__ro_after_init'.
The SELinux run-time disabling removal is made as part of this pull request pending for the newly-opened Linux 6.4 merge window.
More details on the technical reasons and other information about this SELinux run-time disable removal via this patch.
23 Comments