Update instructions for disabling and re-enabling SELinux

The kernel functionality that allowed to disable SELinux by changing
/etc/selinux/config is now deprecated and will be removed in F34 [1].
While setting SELINUX=Disabled will still lead to a similar state even
after the removal, it is better to guide users to disable SELinux via
kernel boot parameters, which will actually disable SELinux completely
(as in no SElinux code is executed by the kernel).

[1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
This commit is contained in:
Ondrej Mosnacek 2020-10-29 15:55:18 +01:00 committed by pbokoc
parent 77a636998d
commit 65925232d5
2 changed files with 27 additions and 13 deletions

View file

@ -2,7 +2,7 @@
//
// changing-selinux-states-and-modes.adoc
[#{context}-Enabling_and_Disabling_SELinux-Disabling_SELinux]
[#{context}-disabling-selinux]
= Disabling SELinux
When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged. Therefore, all benefits of running SELinux listed in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux[Benefits of SELinux] are lost.
@ -14,21 +14,17 @@ It is recommended to use permissive mode instead of permanently disabling SELinu
To permanently disable SELinux, follow the procedure below:
. Configure [option]`SELINUX=disabled` in the `/etc/selinux/config` file:
This procedure assumes that the [package]*grubby* package is installed. To verify that it is installed, use the following command:
[subs="quotes"]
----
~]$ rpm -q grubby
----
. Configure your bootloader to add `selinux=0` to the kernel command-line:
+
[subs="quotes"]
----
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=*disabled*
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
~]# grubby --update-kernel ALL --args selinux=0
----
. Reboot your system. After reboot, confirm that the [command]`getenforce` command returns `Disabled`:

View file

@ -9,6 +9,24 @@ When enabled, SELinux can run in one of two modes: enforcing or permissive. The
While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, follow this procedure:
. In case your system has SELinux disabled at the kernel level (this is the recommended way, see <<{context}-disabling-selinux>>), make sure to undo that first.
.. Check if you have `selinux=0` in your kernel command line:
+
[subs="quotes"]
----
~]$ cat /proc/cmdline
_[...]_ rd.lvm.lv=fedora/swap rhgb quiet *selinux=0*
----
.. If it is there, remove it from the bootloader configuration using [command]`grubby`:
+
----
~]# grubby --update-kernel ALL --remove-args selinux
----
.. The change will be applied after you reboot the system (see below).
. Enable SELinux in permissive mode. For more information, see <<{context}-changing-to-permissive-mode>>.
. Reboot your system.