Igor Stoppa wrote: > For the case at hand, would it work if there was a non-API call that you > could use until the API is properly expanded?
Kernel command line switching (i.e. this patch) is fine for my use cases. SELinux folks might want -static int security_debug; +static int security_debug = IS_ENABLED(CONFIG_SECURITY_SELINUX_DISABLE); so that those who are using SELINUX=disabled in /etc/selinux/config won't get oops upon boot by default. If "unlock the pool" were available, SELINUX=enforcing users would be happy. Maybe two modes for rw/ro transition helps. oneway rw -> ro transition mode: can't be made rw again by calling "unlock the pool" API twoway rw <-> ro transition mode: can be made rw again by calling "unlock the pool" API
