Documentation,selinux: fix references to old selinuxfs mount point

selinuxfs was originally mounted on /selinux, and various docs and
kconfig help texts referred to nodes under it.  In Linux 3.0,
/sys/fs/selinux was introduced as the preferred mount point for selinuxfs.
Fix all the old references to /selinux/ to /sys/fs/selinux/.
While we are there, update the description of the selinux boot parameter
to reflect the fact that the default value is always 1 since
commit be6ec88f41ba94 ("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE")
and drop discussion of runtime disable since it is deprecated.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index ade4e6e..eed5129 100644 (file)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -511,7 +511,7 @@
                        1 -- check protection requested by application.
                        Default value is set via a kernel config option.
                        Value can be changed at runtime via
-                               /selinux/checkreqprot.
+                               /sys/fs/selinux/checkreqprot.
 
        cio_ignore=     [S390]
                        See Documentation/s390/common_io.rst for details.
@@ -1245,7 +1245,8 @@
                        0 -- permissive (log only, no denials).
                        1 -- enforcing (deny and log).
                        Default value is 0.
-                       Value can be changed at runtime via /selinux/enforce.
+                       Value can be changed at runtime via
+                       /sys/fs/selinux/enforce.
 
        erst_disable    [ACPI]
                        Disable Error Record Serialization Table (ERST)
@@ -4348,9 +4349,7 @@
                        See security/selinux/Kconfig help text.
                        0 -- disable.
                        1 -- enable.
-                       Default value is set via kernel config option.
-                       If enabled at boot time, /selinux/disable can be used
-                       later to disable prior to initial policy load.
+                       Default value is 1.
 
        apparmor=       [APPARMOR] Disable or enable AppArmor at boot time
                        Format: { "0" | "1" }

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 580ac24..1014cb0 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -58,7 +58,8 @@ config SECURITY_SELINUX_DEVELOP
          kernel will start in permissive mode (log everything, deny nothing)
          unless you specify enforcing=1 on the kernel command line.  You
          can interactively toggle the kernel between enforcing mode and
-         permissive mode (if permitted by the policy) via /selinux/enforce.
+         permissive mode (if permitted by the policy) via
+         /sys/fs/selinux/enforce.
 
 config SECURITY_SELINUX_AVC_STATS
        bool "NSA SELinux AVC Statistics"
@@ -66,7 +67,7 @@ config SECURITY_SELINUX_AVC_STATS
        default y
        help
          This option collects access vector cache statistics to
-         /selinux/avc/cache_stats, which may be monitored via
+         /sys/fs/selinux/avc/cache_stats, which may be monitored via
          tools such as avcstat.
 
 config SECURITY_SELINUX_CHECKREQPROT_VALUE
@@ -85,7 +86,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
          default to checking the protection requested by the application.
          The checkreqprot flag may be changed from the default via the
          'checkreqprot=' boot parameter.  It may also be changed at runtime
-         via /selinux/checkreqprot if authorized by policy.
+         via /sys/fs/selinux/checkreqprot if authorized by policy.
 
          If you are unsure how to answer this question, answer 0.