mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26 lines
1.3 KiB
26 lines
1.3 KiB
What: /sys/fs/selinux/disable |
|
Date: April 2005 (predates git) |
|
KernelVersion: 2.6.12-rc2 (predates git) |
|
Contact: [email protected] |
|
Description: |
|
|
|
The selinuxfs "disable" node allows SELinux to be disabled at runtime |
|
prior to a policy being loaded into the kernel. If disabled via this |
|
mechanism, SELinux will remain disabled until the system is rebooted. |
|
|
|
The preferred method of disabling SELinux is via the "selinux=0" boot |
|
parameter, but the selinuxfs "disable" node was created to make it |
|
easier for systems with primitive bootloaders that did not allow for |
|
easy modification of the kernel command line. Unfortunately, allowing |
|
for SELinux to be disabled at runtime makes it difficult to secure the |
|
kernel's LSM hooks using the "__ro_after_init" feature. |
|
|
|
Thankfully, the need for the SELinux runtime disable appears to be |
|
gone, the default Kconfig configuration disables this selinuxfs node, |
|
and only one of the major distributions, Fedora, supports disabling |
|
SELinux at runtime. Fedora is in the process of removing the |
|
selinuxfs "disable" node and once that is complete we will start the |
|
slow process of removing this code from the kernel. |
|
|
|
More information on /sys/fs/selinux/disable can be found under the |
|
CONFIG_SECURITY_SELINUX_DISABLE Kconfig option.
|
|
|