diff options
author | Randy Dunlap <rdunlap@infradead.org> | 2022-02-28 20:14:54 -0800 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2022-06-13 14:59:53 -0400 |
commit | 8d6d51edcb79b0906288170df165c1b86e278218 (patch) | |
tree | 4ff2cffc1d1370da97a4d91dacc5dde4a021c10f | |
parent | 2bfe15c5261212130f1a71f32a300bcf426443d4 (diff) |
docs: selinux: add '=' signs to kernel boot options
Provide the full kernel boot option string (with ending '=' sign).
They won't work without that and that is how other boot options are
listed.
If used without an '=' sign (as listed here), they cause an "Unknown
parameters" message and are added to init's argument strings,
polluting them.
Unknown kernel command line parameters "enforcing checkreqprot
BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space.
Run /sbin/init as init process
with arguments:
/sbin/init
enforcing
checkreqprot
with environment:
HOME=/
TERM=linux
BOOT_IMAGE=/boot/bzImage-517rc6
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Eric Paris <eparis@parisplace.org>
Cc: selinux@vger.kernel.org
Cc: Jonathan Corbet <corbet@lwn.net>
[PM: removed bogus 'Fixes' line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | Documentation/admin-guide/kernel-parameters.txt | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 8090130b544b..815af6d7a199 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -550,7 +550,7 @@ nosocket -- Disable socket memory accounting. nokmem -- Disable kernel memory accounting. - checkreqprot [SELINUX] Set initial checkreqprot flag value. + checkreqprot= [SELINUX] Set initial checkreqprot flag value. Format: { "0" | "1" } See security/selinux/Kconfig help text. 0 -- check protection applied by kernel (includes @@ -1439,7 +1439,7 @@ (in particular on some ATI chipsets). The kernel tries to set a reasonable default. - enforcing [SELINUX] Set initial enforcing status. + enforcing= [SELINUX] Set initial enforcing status. Format: {"0" | "1"} See security/selinux/Kconfig help text. 0 -- permissive (log only, no denials). |