1*f22f9aafSPaul MooreWhat: /sys/fs/selinux/disable 2*f22f9aafSPaul MooreDate: April 2005 (predates git) 3*f22f9aafSPaul MooreKernelVersion: 2.6.12-rc2 (predates git) 4*f22f9aafSPaul MooreContact: selinux@vger.kernel.org 5*f22f9aafSPaul MooreDescription: 6*f22f9aafSPaul Moore 7*f22f9aafSPaul Moore REMOVAL UPDATE: The SELinux runtime disable functionality was removed 8*f22f9aafSPaul Moore in March 2023, the original deprecation notice is shown below. 9*f22f9aafSPaul Moore 10*f22f9aafSPaul Moore The selinuxfs "disable" node allows SELinux to be disabled at runtime 11*f22f9aafSPaul Moore prior to a policy being loaded into the kernel. If disabled via this 12*f22f9aafSPaul Moore mechanism, SELinux will remain disabled until the system is rebooted. 13*f22f9aafSPaul Moore 14*f22f9aafSPaul Moore The preferred method of disabling SELinux is via the "selinux=0" boot 15*f22f9aafSPaul Moore parameter, but the selinuxfs "disable" node was created to make it 16*f22f9aafSPaul Moore easier for systems with primitive bootloaders that did not allow for 17*f22f9aafSPaul Moore easy modification of the kernel command line. Unfortunately, allowing 18*f22f9aafSPaul Moore for SELinux to be disabled at runtime makes it difficult to secure the 19*f22f9aafSPaul Moore kernel's LSM hooks using the "__ro_after_init" feature. 20*f22f9aafSPaul Moore 21*f22f9aafSPaul Moore Thankfully, the need for the SELinux runtime disable appears to be 22*f22f9aafSPaul Moore gone, the default Kconfig configuration disables this selinuxfs node, 23*f22f9aafSPaul Moore and only one of the major distributions, Fedora, supports disabling 24*f22f9aafSPaul Moore SELinux at runtime. Fedora is in the process of removing the 25*f22f9aafSPaul Moore selinuxfs "disable" node and once that is complete we will start the 26*f22f9aafSPaul Moore slow process of removing this code from the kernel. 27*f22f9aafSPaul Moore 28*f22f9aafSPaul Moore More information on /sys/fs/selinux/disable can be found under the 29*f22f9aafSPaul Moore CONFIG_SECURITY_SELINUX_DISABLE Kconfig option. 30