1*4882a593SmuzhiyunWhat: /sys/fs/selinux/disable 2*4882a593SmuzhiyunDate: April 2005 (predates git) 3*4882a593SmuzhiyunKernelVersion: 2.6.12-rc2 (predates git) 4*4882a593SmuzhiyunContact: selinux@vger.kernel.org 5*4882a593SmuzhiyunDescription: 6*4882a593Smuzhiyun 7*4882a593Smuzhiyun The selinuxfs "disable" node allows SELinux to be disabled at runtime 8*4882a593Smuzhiyun prior to a policy being loaded into the kernel. If disabled via this 9*4882a593Smuzhiyun mechanism, SELinux will remain disabled until the system is rebooted. 10*4882a593Smuzhiyun 11*4882a593Smuzhiyun The preferred method of disabling SELinux is via the "selinux=0" boot 12*4882a593Smuzhiyun parameter, but the selinuxfs "disable" node was created to make it 13*4882a593Smuzhiyun easier for systems with primitive bootloaders that did not allow for 14*4882a593Smuzhiyun easy modification of the kernel command line. Unfortunately, allowing 15*4882a593Smuzhiyun for SELinux to be disabled at runtime makes it difficult to secure the 16*4882a593Smuzhiyun kernel's LSM hooks using the "__ro_after_init" feature. 17*4882a593Smuzhiyun 18*4882a593Smuzhiyun Thankfully, the need for the SELinux runtime disable appears to be 19*4882a593Smuzhiyun gone, the default Kconfig configuration disables this selinuxfs node, 20*4882a593Smuzhiyun and only one of the major distributions, Fedora, supports disabling 21*4882a593Smuzhiyun SELinux at runtime. Fedora is in the process of removing the 22*4882a593Smuzhiyun selinuxfs "disable" node and once that is complete we will start the 23*4882a593Smuzhiyun slow process of removing this code from the kernel. 24*4882a593Smuzhiyun 25*4882a593Smuzhiyun More information on /sys/fs/selinux/disable can be found under the 26*4882a593Smuzhiyun CONFIG_SECURITY_SELINUX_DISABLE Kconfig option. 27