From 4cdd6f833212270c4f54b3be6d1471d825ae910d Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Sep 24 2020 14:31:12 +0000 Subject: Update /etc/selinux/config for removal of runtime SELinux disable This is in preparation for the following Fedora Change: https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek --- diff --git a/selinux-policy.spec b/selinux-policy.spec index 2953ea4..28e602c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -498,6 +498,21 @@ echo " # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. +# See also: +# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes +# +# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also +# fully disable SELinux during boot. If you need a system with SELinux +# fully disabled instead of SELinux running with no policy loaded, you +# need to pass selinux=0 to the kernel command line. You can use grubby +# to persistently set the bootloader to boot with selinux=0: +# +# grubby --update-kernel ALL --args selinux=0 +# +# To revert back to SELinux enabled: +# +# grubby --update-kernel ALL --remove-args selinux +# SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected,