SELinux In Linux 6.4 Removes Run-Time Disabling Support

Written by Michael Larabel in Linux Security on 24 April 2023 at 08:30 AM EDT. 23 Comments
LINUX SECURITY
After being deprecated for several years, Security Enhanced Linux "SELinux" beginning with the Linux 6.4 kernel can no longer be run-time disabled.

For a while now SELinux deprecated run-time disabling for turning off SELinux via its config file or sysfs. By getting rid of the run-time disabling support, SELinux developers can make various improvements currently blocked by this code.


Those wishing to disable SELinux support can still do so via the selinux=0 boot time option or when building the Linux kernel toggling the "CONFIG_SECURITY_SELINUX_DISABLE" Kconfig switch.
* Remove the runtime disable functionality
After several years of work by the userspace and distro folks, we are finally in a place where we feel comfortable removing the runtime disable functionality which we initially deprecated at the start of 2020. There is plenty of information in the kernel's deprecation (now removal) notice, but the main motivation was to be able to safely mark
the LSM hook structures as '__ro_after_init'.

The SELinux run-time disabling removal is made as part of this pull request pending for the newly-opened Linux 6.4 merge window.

SELinux logo


More details on the technical reasons and other information about this SELinux run-time disable removal via this patch.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week