This is a tracking bug for Change: Remove support for SELinux runtime disable For more details, see: https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Remove support for SELinux runtime disable so that the LSM hooks can be hardened via read-only-after-initialization protections.
Related (first small step on the journey): https://src.fedoraproject.org/rpms/selinux-policy/c/4cdd6f833212270c4f54b3be6d1471d825ae910d
Fedora/ARK kernel PR to disable the config option: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/685
Upstream pull request for Anacoda to disable SELinux via boot param: https://github.com/rhinstaller/anaconda/pull/2939
PR for Fedora quick-docs update: https://pagure.io/fedora-docs/quick-docs/pull-request/293
selinux(8) manpage patch (upstream): https://lore.kernel.org/selinux/20201111095134.481658-1-omosnace@redhat.com/T/
All the important changes have now been applied. The only pending change is updating Ansible's selinux module to disable SELinux via the kernel parameter, but that not a blocker. It has also been suggested to have some warning printed when the system is booted with SELINUX=disabled in the config file, but no selinux=0 on the kernel command-line (e.g. via a one-shot systemd unit), which is again non-blocking. Based on the above, moving the status to MODIFIED.
Reminder: The change complete (100% complete) deadline for Fedora 34 changes is Tuesday 23 February. At that point, changes should be 100% code complete, along with supporting documentation where appropriate. Please indicate this by setting the tracker bug for your change to ON_QA.
The supporting changes to ansible are only in the form of a PR at this point, but otherwise the change can be considered code complete.
Closing Changes Tracking bugs for the Fedora Linux 34 release. If your change did not make it into the release, please reopen and needinfo bcotton.