Merge pull request #71175 from travier/dont-disable-selinux

Do not emphasize disabling SELinux in examples

Author: jldohmann

modules/installation-special-config-kargs.adoc

@@ -12,15 +12,16 @@ installation. Here are some reasons you might want
 to add kernel arguments during cluster installation so they take effect before
 the systems first boot up:
 
-* You want to disable a feature, such as SELinux, so it has no impact on the systems when they first come up.
+* You need to do some low-level network configuration before the systems start.
 
+* You want to disable a feature, such as SELinux, so it has no impact on the systems when they first come up.
++
 [WARNING]
 ====
-Disabling SELinux on {op-system} is not supported.
+Disabling SELinux on {op-system} in production is not supported.
+Once SELinux has been disabled on a node, it must be re-provisioned before re-inclusion in a production cluster.
 ====
 
-* You need to do some low-level network configuration before the systems start.
-
 To add kernel arguments to master or worker nodes, you can create a `MachineConfig` object
 and inject that object into the set of manifest files used by Ignition during
 cluster setup.

modules/nodes-nodes-kernel-arguments.adoc

@@ -16,8 +16,6 @@ Improper use of kernel arguments can result in your systems becoming unbootable.
 
 Examples of kernel arguments you could set include:
 
-* **enforcing=0**: Configures Security Enhanced Linux (SELinux) to run in permissive mode. In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not supported for production systems, permissive mode can be helpful for debugging.
-
 * **nosmt**: Disables symmetric multithreading (SMT) in the kernel. Multithreading allows multiple logical threads for each CPU. You could consider `nosmt` in multi-tenant environments to reduce risks from potential cross-thread attacks. By disabling SMT, you essentially choose security over performance.
 
 ifndef::openshift-origin[]
@@ -33,6 +31,14 @@ cgroup v2 is enabled by default. To disable cgroup v2, use the `systemd.unified_
 ====
 endif::openshift-origin[]
 
+* **enforcing=0**: Configures Security Enhanced Linux (SELinux) to run in permissive mode. In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not supported for production systems, permissive mode can be helpful for debugging.
++
+[WARNING]
+====
+Disabling SELinux on {op-system} in production is not supported.
+Once SELinux has been disabled on a node, it must be re-provisioned before re-inclusion in a production cluster.
+====
+
 See link:https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt[Kernel.org kernel parameters] for a list and descriptions of kernel arguments.
 
 In the following procedure, you create a `MachineConfig` object that identifies: