mirror of
https://github.com/torvalds/linux.git
synced 2024-12-27 13:22:23 +00:00
Documentation,selinux: fix references to old selinuxfs mount point
selinuxfs was originally mounted on /selinux, and various docs and
kconfig help texts referred to nodes under it. In Linux 3.0,
/sys/fs/selinux was introduced as the preferred mount point for selinuxfs.
Fix all the old references to /selinux/ to /sys/fs/selinux/.
While we are there, update the description of the selinux boot parameter
to reflect the fact that the default value is always 1 since
commit be6ec88f41
("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE")
and drop discussion of runtime disable since it is deprecated.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
89b223bfb8
commit
d41415eb5e
@ -511,7 +511,7 @@
|
||||
1 -- check protection requested by application.
|
||||
Default value is set via a kernel config option.
|
||||
Value can be changed at runtime via
|
||||
/selinux/checkreqprot.
|
||||
/sys/fs/selinux/checkreqprot.
|
||||
|
||||
cio_ignore= [S390]
|
||||
See Documentation/s390/common_io.rst for details.
|
||||
@ -1245,7 +1245,8 @@
|
||||
0 -- permissive (log only, no denials).
|
||||
1 -- enforcing (deny and log).
|
||||
Default value is 0.
|
||||
Value can be changed at runtime via /selinux/enforce.
|
||||
Value can be changed at runtime via
|
||||
/sys/fs/selinux/enforce.
|
||||
|
||||
erst_disable [ACPI]
|
||||
Disable Error Record Serialization Table (ERST)
|
||||
@ -4348,9 +4349,7 @@
|
||||
See security/selinux/Kconfig help text.
|
||||
0 -- disable.
|
||||
1 -- enable.
|
||||
Default value is set via kernel config option.
|
||||
If enabled at boot time, /selinux/disable can be used
|
||||
later to disable prior to initial policy load.
|
||||
Default value is 1.
|
||||
|
||||
apparmor= [APPARMOR] Disable or enable AppArmor at boot time
|
||||
Format: { "0" | "1" }
|
||||
|
@ -58,7 +58,8 @@ config SECURITY_SELINUX_DEVELOP
|
||||
kernel will start in permissive mode (log everything, deny nothing)
|
||||
unless you specify enforcing=1 on the kernel command line. You
|
||||
can interactively toggle the kernel between enforcing mode and
|
||||
permissive mode (if permitted by the policy) via /selinux/enforce.
|
||||
permissive mode (if permitted by the policy) via
|
||||
/sys/fs/selinux/enforce.
|
||||
|
||||
config SECURITY_SELINUX_AVC_STATS
|
||||
bool "NSA SELinux AVC Statistics"
|
||||
@ -66,7 +67,7 @@ config SECURITY_SELINUX_AVC_STATS
|
||||
default y
|
||||
help
|
||||
This option collects access vector cache statistics to
|
||||
/selinux/avc/cache_stats, which may be monitored via
|
||||
/sys/fs/selinux/avc/cache_stats, which may be monitored via
|
||||
tools such as avcstat.
|
||||
|
||||
config SECURITY_SELINUX_CHECKREQPROT_VALUE
|
||||
@ -85,7 +86,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
|
||||
default to checking the protection requested by the application.
|
||||
The checkreqprot flag may be changed from the default via the
|
||||
'checkreqprot=' boot parameter. It may also be changed at runtime
|
||||
via /selinux/checkreqprot if authorized by policy.
|
||||
via /sys/fs/selinux/checkreqprot if authorized by policy.
|
||||
|
||||
If you are unsure how to answer this question, answer 0.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user