18c2ecf20Sopenharmony_ciWhat: /sys/fs/selinux/disable 28c2ecf20Sopenharmony_ciDate: April 2005 (predates git) 38c2ecf20Sopenharmony_ciKernelVersion: 2.6.12-rc2 (predates git) 48c2ecf20Sopenharmony_ciContact: selinux@vger.kernel.org 58c2ecf20Sopenharmony_ciDescription: 68c2ecf20Sopenharmony_ci 78c2ecf20Sopenharmony_ci The selinuxfs "disable" node allows SELinux to be disabled at runtime 88c2ecf20Sopenharmony_ci prior to a policy being loaded into the kernel. If disabled via this 98c2ecf20Sopenharmony_ci mechanism, SELinux will remain disabled until the system is rebooted. 108c2ecf20Sopenharmony_ci 118c2ecf20Sopenharmony_ci The preferred method of disabling SELinux is via the "selinux=0" boot 128c2ecf20Sopenharmony_ci parameter, but the selinuxfs "disable" node was created to make it 138c2ecf20Sopenharmony_ci easier for systems with primitive bootloaders that did not allow for 148c2ecf20Sopenharmony_ci easy modification of the kernel command line. Unfortunately, allowing 158c2ecf20Sopenharmony_ci for SELinux to be disabled at runtime makes it difficult to secure the 168c2ecf20Sopenharmony_ci kernel's LSM hooks using the "__ro_after_init" feature. 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_ci Thankfully, the need for the SELinux runtime disable appears to be 198c2ecf20Sopenharmony_ci gone, the default Kconfig configuration disables this selinuxfs node, 208c2ecf20Sopenharmony_ci and only one of the major distributions, Fedora, supports disabling 218c2ecf20Sopenharmony_ci SELinux at runtime. Fedora is in the process of removing the 228c2ecf20Sopenharmony_ci selinuxfs "disable" node and once that is complete we will start the 238c2ecf20Sopenharmony_ci slow process of removing this code from the kernel. 248c2ecf20Sopenharmony_ci 258c2ecf20Sopenharmony_ci More information on /sys/fs/selinux/disable can be found under the 268c2ecf20Sopenharmony_ci CONFIG_SECURITY_SELINUX_DISABLE Kconfig option. 27