From: Paul Moore <paul@paul-moore.com>
Date: Tue, 1 Mar 2022 22:53:01 +0000 (-0500)
Subject: selinux: runtime disable is deprecated, add some ssleep() discomfort
X-Git-Tag: v5.19-rc1~196^2~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43b666622c60bc001f2f8a19f5f97946ff53a5cc;p=thirdparty%2Flinux.git

selinux: runtime disable is deprecated, add some ssleep() discomfort

We deprecated the SELinux runtime disable functionality in Linux
v5.6, and it is time to get a bit more serious about removing it.
Add a five second sleep to anyone using it to help draw their
attention to the deprecation and provide a URL which helps explain
things in more detail, including how to add kernel command line
parameters to some of the more popular Linux distributions.

Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 097c6d866ec4d..6568bc48cd3e2 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
 	 *       kernel releases until eventually it is removed
 	 */
 	pr_err("SELinux:  Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
+	pr_err("SELinux:  https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
+	ssleep(5);
 
 	if (count >= PAGE_SIZE)
 		return -ENOMEM;