Re: [RFC] selinux: add selinux=2 boot parameter for permissive mode through kernel cmdline

Next message: Adhemerval Zanella Netto: "Re: [RFC] Modernizing Linux authentication logs (lastlog, btmp, utmp, wtmp) with SQLite"
Previous message: Lorenzo Stoakes (Oracle): "Re: [RESEND PATCH 4/4] selftests/mm: transhuge_stress: skip the test when thp not available"
In reply to: Stephen Smalley: "Re: [RFC] selinux: add selinux=2 boot parameter for permissive mode through kernel cmdline"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Moore

Date: Fri Mar 13 2026 - 14:06:18 EST

On Fri, Mar 13, 2026 at 10:44 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> On Fri, Mar 13, 2026 at 2:12 AM Marwan Seliem <marwanmhks@xxxxxxxxx> wrote:
> >
> > Hi Paul, Stephen, Ondrej,
> >
> > I wanted to reach out to ask whether a change like the following would be considered useful or acceptable upstream, before investing more time polishing it.
> >
> > Background
> > ----------
> > On a platform with the following Kconfig:
> >
> > CONFIG_SECURITY_SELINUX_DEVELOP is not set
> > CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> >
> > The only runtime options for the selinux= boot parameter are:
> >
> > selinux=0 -> SELinux disabled entirely
> > selinux=1 -> SELinux enforcing, non-switchable
> >
> > There is no way to boot into permissive mode without either enabling
> > CONFIG_SECURITY_SELINUX_DEVELOP (which also enables setenforce and is
> > not desirable in production) or disabling SELinux entirely.
>
> Android handles this by neverallow'ing setenforce permission in their policy.
> Hence, they can enable CONFIG_SECURITY_SELINUX_DEVELOP but prohibit
> any userspace setenforce beyond the initial setenforce(1) by the init
> program.

The Android approach is what I would expect to use in a case like
this, and honestly I prefer that much more than another kernel command
line state.

--
paul-moore.com