summaryrefslogtreecommitdiff
path: root/security/selinux
diff options
context:
space:
mode:
authorPaul Moore <paul@paul-moore.com>2022-03-01 17:53:01 -0500
committerPaul Moore <paul@paul-moore.com>2022-04-04 16:20:51 -0400
commit43b666622c60bc001f2f8a19f5f97946ff53a5cc (patch)
tree4ff2512ec24ba3e83cd6030aaa6addc6e38047cc /security/selinux
parent0a9876f36b08706d9954d8ccb42d0cd85f210333 (diff)
selinux: runtime disable is deprecated, add some ssleep() discomfort
We deprecated the SELinux runtime disable functionality in Linux v5.6, and it is time to get a bit more serious about removing it. Add a five second sleep to anyone using it to help draw their attention to the deprecation and provide a URL which helps explain things in more detail, including how to add kernel command line parameters to some of the more popular Linux distributions. Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/selinuxfs.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 097c6d866ec4..6568bc48cd3e 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
* kernel releases until eventually it is removed
*/
pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
+ pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
+ ssleep(5);
if (count >= PAGE_SIZE)
return -ENOMEM;