Commit 43b66662 authored by Paul Moore's avatar Paul Moore
Browse files

selinux: runtime disable is deprecated, add some ssleep() discomfort 



We deprecated the SELinux runtime disable functionality in Linux
v5.6, and it is time to get a bit more serious about removing it.
Add a five second sleep to anyone using it to help draw their
attention to the deprecation and provide a URL which helps explain
things in more detail, including how to add kernel command line
parameters to some of the more popular Linux distributions.

Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 0a9876f3

security/selinux/selinuxfs.c

+2 −0
Original line number Diff line number Diff line
@@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, 
	 *       kernel releases until eventually it is removed

	 */

	pr_err("SELinux:  Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");

	pr_err("SELinux:  https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");

	ssleep(5);



	if (count >= PAGE_SIZE)

		return -ENOMEM;