-
Notifications
You must be signed in to change notification settings - Fork 61
DEPRECATE runtime disable
Paul Moore edited this page Mar 1, 2022
·
7 revisions
The ability to disable SELinux at runtime is being deprecated in favor of the existing kernel command line switch, selinux=0, which allows users to disable SELinux at system boot. Continuing to support the runtime disable functionality is blocking other internal security improvements that would allow us to harden the Linux Kernel against attack, e.g. marking the kernel's LSM hooks as __ro_after_init.
If you are currently disabling SELinux at runtime by setting SELINUX=disabled in "/etc/selinux/config" or writing a 0 to "/sys/fs/selinux/disable" on boot, you will need to transition to adding selinux=0 to your kernel command line at boot. Documentation on how to do that for several Linux distributions can be found below: