Merge pull request #48548 from xenolinux/selinux

bergerhoffer · web-flow · commit 8962f8183853 · 2022-08-01T10:56:11.000-04:00
BZ1807524: Adds a warning about disabling SELiux
diff --git a/modules/installation-special-config-kargs.adoc b/modules/installation-special-config-kargs.adoc
@@ -13,6 +13,12 @@ to add kernel arguments during cluster installation so they take effect before
 the systems first boot up:
 
 * You want to disable a feature, such as SELinux, so it has no impact on the systems when they first come up.
+
+[WARNING]
+====
+Disabling SELinux on {op-system} is not supported.
+====
+
 * You need to do some low-level network configuration before the systems start.
 
 To add kernel arguments to master or worker nodes, you can create a `MachineConfig` object
diff --git a/modules/nodes-nodes-kernel-arguments.adoc b/modules/nodes-nodes-kernel-arguments.adoc
@@ -7,10 +7,7 @@
 [id="nodes-nodes-kernel-arguments_{context}"]
 = Adding kernel arguments to nodes
 
-In some special cases, you might want to add kernel arguments
-to a set of nodes in your cluster.
-This should only be done with caution and clear understanding
-of the implications of the arguments you set.
+In some special cases, you might want to add kernel arguments to a set of nodes in your cluster. This should only be done with caution and clear understanding of the implications of the arguments you set.
 
 [WARNING]
 ====
@@ -19,30 +16,17 @@ Improper use of kernel arguments can result in your systems becoming unbootable.
 
 Examples of kernel arguments you could set include:
 
-* **enforcing=0**: Configures Security Enhanced Linux (SELinux) to run in permissive mode.
-In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, 
-including labeling objects and emitting access denial entries in the logs, 
-but it does not actually deny any operations. While not recommended for production systems, 
-permissive mode can be helpful for debugging.  
+* **enforcing=0**: Configures Security Enhanced Linux (SELinux) to run in permissive mode. In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not supported for production systems, permissive mode can be helpful for debugging.
 
-* **nosmt**: Disables symmetric multithreading (SMT) in the kernel.
-Multithreading allows multiple logical threads for each CPU.
-You could consider `nosmt` in multi-tenant environments to reduce
-risks from potential cross-thread attacks. By disabling SMT, you essentially choose security over performance.
+* **nosmt**: Disables symmetric multithreading (SMT) in the kernel. Multithreading allows multiple logical threads for each CPU. You could consider `nosmt` in multi-tenant environments to reduce risks from potential cross-thread attacks. By disabling SMT, you essentially choose security over performance.
 
-* **systemd.unified_cgroup_hierarchy**: Enables 
-link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control groups version 2] (cgroups v2). 
-Cgroup v2 is the next version of the kernel 
-link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01[control groups]
-and offers multiple improvements.
+* **systemd.unified_cgroup_hierarchy**: Enables link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control groups version 2] (cgroups v2). Cgroup v2 is the next version of the kernel link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01[control groups] and offers multiple improvements.
 
-See link:https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt[Kernel.org kernel parameters]
-for a list and descriptions of kernel arguments.
+See link:https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt[Kernel.org kernel parameters] for a list and descriptions of kernel arguments.
 
 In the following procedure, you create a `MachineConfig` object that identifies:
 
-* A set of machines to which you want to add the kernel argument.
-In this case, machines with a worker role.
+* A set of machines to which you want to add the kernel argument. In this case, machines with a worker role.
 * Kernel arguments that are appended to the end of the existing kernel arguments.
 * A label that indicates where in the list of machine configs the change is applied.
 
