Skip to content

DEPRECATE runtime disable

Jump to bottom Edit New page
Paul Moore edited this page Jun 27, 2023 · 7 revisions

NOTE: The SELinux checkreqprot functionality was removed in the Linux v6.4 release.

The ability to disable SELinux at runtime is being deprecated in favor of the existing kernel command line switch, selinux=0, which allows users to disable SELinux at system boot. Continuing to support the runtime disable functionality is blocking other internal security improvements that would allow us to harden the Linux Kernel against attack, e.g. marking the kernel's LSM hooks as __ro_after_init.

If you are currently disabling SELinux at runtime by setting SELINUX=disabled in "/etc/selinux/config" or writing a 0 to "/sys/fs/selinux/disable" on boot, you will need to transition to adding selinux=0 to your kernel command line at boot. Documentation on how to do that for several Linux distributions can be found below:

Additional information can be found in the CONFIG_SECURITY_SELINUX_DISABLE Kconfig help option or the Linux Kernel's deprecation notice.

https://github.com/SELinuxProject

Add a custom sidebar
Clone this wiki locally