mirror of
https://github.com/ansible-collections/ansible.posix.git
synced 2026-01-11 23:25:28 +01:00
595ee76b69
selinux: update kernel boot params when disabling/re-enabling SELinux SUMMARY The ability to disable SELinux from userspace based on the configuration file is being deprecated in favor of the selinux=0 kernel boot parameter. (Note that this affects only the "full" disable; switching to/from permissive mode will work the same as before.) Therefore, enhance the selinux module to try to set/unset the kernel command-line parameter using grubby when enabling/disabling SELinux. If the grubby package is not present on the system, the module will only update the config file and report a warning. Note that even with the runtime disable functionality removed, setting SELINUX=disabled in the config file will lead to a system with no SELinux policy loaded, which will behave in a very similar way as if SELinux was fully disabled, only there could still be some minor performance impact, since the kernel hooks will still be active. More information: https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/ https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable ISSUE TYPE Feature Pull Request COMPONENT NAME selinux module Reviewed-by: Adam Miller <maxamillion@fedoraproject.org> Reviewed-by: Ondrej Mosnáček <omosnacek@gmail.com> Reviewed-by: Abhijeet Kasurde <None> Reviewed-by: quidame <None> Reviewed-by: Hideki Saito <saito@fgrep.org> Reviewed-by: None <None> |
||
|---|---|---|
| .. | ||
| fragments | ||
| changelog.yaml | ||
| config.yaml | ||