Commit d41415eb authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore
Browse files

Documentation,selinux: fix references to old selinuxfs mount point 



selinuxfs was originally mounted on /selinux, and various docs and
kconfig help texts referred to nodes under it.  In Linux 3.0,
/sys/fs/selinux was introduced as the preferred mount point for selinuxfs.
Fix all the old references to /selinux/ to /sys/fs/selinux/.
While we are there, update the description of the selinux boot parameter
to reflect the fact that the default value is always 1 since
commit be6ec88f ("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE")
and drop discussion of runtime disable since it is deprecated.

Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 89b223bf

Documentation/admin-guide/kernel-parameters.txt

+4 −5
Original line number Diff line number Diff line
@@ -511,7 +511,7 @@ 
			1 -- check protection requested by application.

			Default value is set via a kernel config option.

			Value can be changed at runtime via

				/selinux/checkreqprot.

				/sys/fs/selinux/checkreqprot.



	cio_ignore=	[S390]

			See Documentation/s390/common_io.rst for details.
@@ -1245,7 +1245,8 @@ 
			0 -- permissive (log only, no denials).

			1 -- enforcing (deny and log).

			Default value is 0.

			Value can be changed at runtime via /selinux/enforce.

			Value can be changed at runtime via

			/sys/fs/selinux/enforce.



	erst_disable	[ACPI]

			Disable Error Record Serialization Table (ERST)
@@ -4348,9 +4349,7 @@ 
			See security/selinux/Kconfig help text.

			0 -- disable.

			1 -- enable.

			Default value is set via kernel config option.

			If enabled at boot time, /selinux/disable can be used

			later to disable prior to initial policy load.

			Default value is 1.



	apparmor=	[APPARMOR] Disable or enable AppArmor at boot time

			Format: { "0" | "1" }

security/selinux/Kconfig

+4 −3
Original line number Diff line number Diff line
@@ -58,7 +58,8 @@ config SECURITY_SELINUX_DEVELOP 
	  kernel will start in permissive mode (log everything, deny nothing)

	  unless you specify enforcing=1 on the kernel command line.  You

	  can interactively toggle the kernel between enforcing mode and

	  permissive mode (if permitted by the policy) via /selinux/enforce.

	  permissive mode (if permitted by the policy) via

	  /sys/fs/selinux/enforce.



config SECURITY_SELINUX_AVC_STATS

	bool "NSA SELinux AVC Statistics"
@@ -66,7 +67,7 @@ config SECURITY_SELINUX_AVC_STATS 
	default y

	help

	  This option collects access vector cache statistics to

	  /selinux/avc/cache_stats, which may be monitored via

	  /sys/fs/selinux/avc/cache_stats, which may be monitored via

	  tools such as avcstat.



config SECURITY_SELINUX_CHECKREQPROT_VALUE
@@ -85,7 +86,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 
	  default to checking the protection requested by the application.

	  The checkreqprot flag may be changed from the default via the

	  'checkreqprot=' boot parameter.  It may also be changed at runtime

	  via /selinux/checkreqprot if authorized by policy.

	  via /sys/fs/selinux/checkreqprot if authorized by policy.



	  If you are unsure how to answer this question, answer 0.

CRA Git | Maintained and supported by SUSTech CRA and CCSE