[PATCH v2 0/3] selinux: prune deprecated interfaces

[PATCH v2 0/3] selinux: prune deprecated interfaces

[Stephen Smalley]

*** BLURB HERE ***

Stephen Smalley (3):
  selinux: prune /sys/fs/selinux/checkreqprot
  selinux: prune /sys/fs/selinux/disable
  selinux: prune /sys/fs/selinux/user

 .../{obsolete => removed}/sysfs-selinux-user  |   0
 security/selinux/include/security.h           |   2 -
 security/selinux/selinuxfs.c                  | 145 ++----------------
 security/selinux/ss/services.c                | 125 ---------------
 4 files changed, 13 insertions(+), 259 deletions(-)
 rename Documentation/ABI/{obsolete => removed}/sysfs-selinux-user (100%)

-- 
2.54.0

[PATCH v2 1/3] selinux: prune /sys/fs/selinux/checkreqprot

[Stephen Smalley]

commit a7e4676e8e2cb ("selinux: remove the 'checkreqprot'
functionality") removed the ability to modify the checkreqprot setting
but left everything except the updating of the checkreqprot value
intact. Aside from unnecessary processing, this could produce a local
DoS from log spam and incorrectly calls selinux_ima_measure_state() on
each write even though no state has changed. Prune it to just return
count (i.e. all bytes written successfully) so that userspace never
breaks.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/selinuxfs.c | 45 ++++--------------------------------
 1 file changed, 5 insertions(+), 40 deletions(-)

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 8c107af5140e..71ffa64b15a6 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -689,46 +689,11 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
 static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
 				      size_t count, loff_t *ppos)
 {
-	char *page;
-	ssize_t length;
-	unsigned int new_value;
-
-	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
-			      SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT,
-			      NULL);
-	if (length)
-		return length;
-
-	if (count >= PAGE_SIZE)
-		return -ENOMEM;
-
-	/* No partial writes. */
-	if (*ppos != 0)
-		return -EINVAL;
-
-	page = memdup_user_nul(buf, count);
-	if (IS_ERR(page))
-		return PTR_ERR(page);
-
-	if (sscanf(page, "%u", &new_value) != 1) {
-		length = -EINVAL;
-		goto out;
-	}
-	length = count;
-
-	if (new_value) {
-		char comm[sizeof(current->comm)];
-
-		strscpy(comm, current->comm);
-		pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n",
-		       comm, current->pid);
-	}
-
-	selinux_ima_measure_state();
-
-out:
-	kfree(page);
-	return length;
+	/*
+	 * Setting checkreqprot is no longer supported, see
+	 * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot
+	 */
+	return count;
 }
 static const struct file_operations sel_checkreqprot_ops = {
 	.read		= sel_read_checkreqprot,
-- 
2.54.0

Re: [PATCH v2 1/3] selinux: prune /sys/fs/selinux/checkreqprot

[Ondrej Mosnacek]

On Wed, Apr 29, 2026 at 11:13 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> commit a7e4676e8e2cb ("selinux: remove the 'checkreqprot'
> functionality") removed the ability to modify the checkreqprot setting
> but left everything except the updating of the checkreqprot value
> intact. Aside from unnecessary processing, this could produce a local
> DoS from log spam and incorrectly calls selinux_ima_measure_state() on
> each write even though no state has changed. Prune it to just return
> count (i.e. all bytes written successfully) so that userspace never
> breaks.

The log spam could also be addressed by switching to pr_err_once(),
but a full removal is also fine with me.

>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  security/selinux/selinuxfs.c | 45 ++++--------------------------------
>  1 file changed, 5 insertions(+), 40 deletions(-)

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH v2 1/3] selinux: prune /sys/fs/selinux/checkreqprot

[Paul Moore]

On Apr 29, 2026 Stephen Smalley <stephen.smalley.work@gmail.com> wrote:
> 
> commit a7e4676e8e2cb ("selinux: remove the 'checkreqprot'
> functionality") removed the ability to modify the checkreqprot setting
> but left everything except the updating of the checkreqprot value
> intact. Aside from unnecessary processing, this could produce a local
> DoS from log spam and incorrectly calls selinux_ima_measure_state() on
> each write even though no state has changed. Prune it to just return
> count (i.e. all bytes written successfully) so that userspace never
> breaks.
> 
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  security/selinux/selinuxfs.c | 45 ++++--------------------------------
>  1 file changed, 5 insertions(+), 40 deletions(-)
> 
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 8c107af5140e..71ffa64b15a6 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -689,46 +689,11 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
>  static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
>  				      size_t count, loff_t *ppos)
>  {
> -	char *page;
> -	ssize_t length;
> -	unsigned int new_value;
> -
> -	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
> -			      SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT,
> -			      NULL);
> -	if (length)
> -		return length;
> -
> -	if (count >= PAGE_SIZE)
> -		return -ENOMEM;
> -
> -	/* No partial writes. */
> -	if (*ppos != 0)
> -		return -EINVAL;
> -
> -	page = memdup_user_nul(buf, count);
> -	if (IS_ERR(page))
> -		return PTR_ERR(page);
> -
> -	if (sscanf(page, "%u", &new_value) != 1) {
> -		length = -EINVAL;
> -		goto out;
> -	}
> -	length = count;
> -
> -	if (new_value) {
> -		char comm[sizeof(current->comm)];
> -
> -		strscpy(comm, current->comm);
> -		pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n",
> -		       comm, current->pid);
> -	}

I agree with Ondrej's comment that the log spam problem could be resolved
with pr_err_once() while still preserving the notification.  Since it will
only be reported once, you can probably skip the read/parsing/etc. and
just report that checkreqprot is no longer supported:

  static ssize_t swl_write_checkreqprot(...)
  {
    /*
     * Setting ... <deprecation url>
     */
    pr_err_once(...);
    return count;
  }

> -	selinux_ima_measure_state();
> -
> -out:
> -	kfree(page);
> -	return length;
> +	/*
> +	 * Setting checkreqprot is no longer supported, see
> +	 * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot
> +	 */
> +	return count;
>  }
>  static const struct file_operations sel_checkreqprot_ops = {
>  	.read		= sel_read_checkreqprot,
> -- 
> 2.54.0

--
paul-moore.com

[PATCH v2 2/3] selinux: prune /sys/fs/selinux/disable

[Stephen Smalley]

Commit f22f9aaf6c3d ("selinux: remove the runtime disable
functionality") removed the SELinux runtime disable functionality but
left everything except the actual runtime disable functionality intact
and started logging an error message to warn any residual users.

Prune it to just return count (i.e. all bytes written successfully) to
avoid breaking userspace. This also fixes a local DoS from logspam.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/selinuxfs.c | 34 +++++-----------------------------
 1 file changed, 5 insertions(+), 29 deletions(-)

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 71ffa64b15a6..2181c82b5159 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -272,35 +272,11 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
 				 size_t count, loff_t *ppos)
 
 {
-	char *page;
-	ssize_t length;
-	int new_value;
-
-	if (count >= PAGE_SIZE)
-		return -ENOMEM;
-
-	/* No partial writes. */
-	if (*ppos != 0)
-		return -EINVAL;
-
-	page = memdup_user_nul(buf, count);
-	if (IS_ERR(page))
-		return PTR_ERR(page);
-
-	if (sscanf(page, "%d", &new_value) != 1) {
-		length = -EINVAL;
-		goto out;
-	}
-	length = count;
-
-	if (new_value) {
-		pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
-		pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
-	}
-
-out:
-	kfree(page);
-	return length;
+	/*
+	 * Setting disable is no longer supported, see
+	 * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
+	 */
+	return count;
 }
 
 static const struct file_operations sel_disable_ops = {
-- 
2.54.0

Re: [PATCH v2 2/3] selinux: prune /sys/fs/selinux/disable

[Paul Moore]

On Apr 29, 2026 Stephen Smalley <stephen.smalley.work@gmail.com> wrote:
> 
> Commit f22f9aaf6c3d ("selinux: remove the runtime disable
> functionality") removed the SELinux runtime disable functionality but
> left everything except the actual runtime disable functionality intact
> and started logging an error message to warn any residual users.
> 
> Prune it to just return count (i.e. all bytes written successfully) to
> avoid breaking userspace. This also fixes a local DoS from logspam.
> 
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  security/selinux/selinuxfs.c | 34 +++++-----------------------------
>  1 file changed, 5 insertions(+), 29 deletions(-)

Please do the same thing here that was suggested in patch 1/3.

--
paul-moore.com

[PATCH v2 3/3] selinux: prune /sys/fs/selinux/user

[Stephen Smalley]

Finish removal of the /sys/fs/selinux/user interface aside from a
residual stub for userspace compatibility.

Commit d7b6918e22c7 ("selinux: Deprecate /sys/fs/selinux/user") started
the deprecation process for /sys/fs/selinux/user:

    The selinuxfs "user" node allows userspace to request a list
    of security contexts that can be reached for a given SELinux
    user from a given starting context. This was used by libselinux
    when various login-style programs requested contexts for
    users, but libselinux stopped using it in 2020.
    Kernel support will be removed no sooner than Dec 2025.

A pr_warn() message has been in place since Linux v6.13, and a 5
second sleep was introduced since Linux v6.17 to help make it more
noticeable.

We are now past the stated deadline of Dec 2025, so remove the
underlying functionality and replace it with a stub that returns a
'0\0' buffer to avoid breaking userspace. This also avoids a local DoS
from logspam.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 .../{obsolete => removed}/sysfs-selinux-user  |   0
 security/selinux/include/security.h           |   2 -
 security/selinux/selinuxfs.c                  |  66 +--------
 security/selinux/ss/services.c                | 125 ------------------
 4 files changed, 3 insertions(+), 190 deletions(-)
 rename Documentation/ABI/{obsolete => removed}/sysfs-selinux-user (100%)

diff --git a/Documentation/ABI/obsolete/sysfs-selinux-user b/Documentation/ABI/removed/sysfs-selinux-user
similarity index 100%
rename from Documentation/ABI/obsolete/sysfs-selinux-user
rename to Documentation/ABI/removed/sysfs-selinux-user
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index d1f16d7f684d..0babb8992181 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -312,8 +312,6 @@ int security_context_to_sid_default(const char *scontext, u32 scontext_len,
 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
 				  u32 *sid);
 
-int security_get_user_sids(u32 fromsid, const char *username, u32 **sids, u32 *nel);
-
 int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
 
 int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 2181c82b5159..fe84901ffb8e 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1014,69 +1014,9 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
 
 static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
 {
-	char *con = NULL, *user = NULL, *ptr;
-	u32 sid, *sids = NULL;
-	ssize_t length;
-	char *newcon;
-	int rc;
-	u32 i, len, nsids;
-
-	pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
-		" This will not be supported in the future; please update your"
-		" userspace.\n", current->comm, current->pid);
-	ssleep(5);
-
-	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
-			      SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
-			      NULL);
-	if (length)
-		goto out;
-
-	length = -ENOMEM;
-	con = kzalloc(size + 1, GFP_KERNEL);
-	if (!con)
-		goto out;
-
-	length = -ENOMEM;
-	user = kzalloc(size + 1, GFP_KERNEL);
-	if (!user)
-		goto out;
-
-	length = -EINVAL;
-	if (sscanf(buf, "%s %s", con, user) != 2)
-		goto out;
-
-	length = security_context_str_to_sid(con, &sid, GFP_KERNEL);
-	if (length)
-		goto out;
-
-	length = security_get_user_sids(sid, user, &sids, &nsids);
-	if (length)
-		goto out;
-
-	length = sprintf(buf, "%u", nsids) + 1;
-	ptr = buf + length;
-	for (i = 0; i < nsids; i++) {
-		rc = security_sid_to_context(sids[i], &newcon, &len);
-		if (rc) {
-			length = rc;
-			goto out;
-		}
-		if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) {
-			kfree(newcon);
-			length = -ERANGE;
-			goto out;
-		}
-		memcpy(ptr, newcon, len);
-		kfree(newcon);
-		ptr += len;
-		length += len;
-	}
-out:
-	kfree(sids);
-	kfree(user);
-	kfree(con);
-	return length;
+	buf[0] = '0';
+	buf[1] = 0;
+	return 2;
 }
 
 static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e8e7ccbd1e44..143021c5e326 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2746,131 +2746,6 @@ int security_node_sid(u16 domain,
 	return rc;
 }
 
-#define SIDS_NEL 25
-
-/**
- * security_get_user_sids - Obtain reachable SIDs for a user.
- * @fromsid: starting SID
- * @username: username
- * @sids: array of reachable SIDs for user
- * @nel: number of elements in @sids
- *
- * Generate the set of SIDs for legal security contexts
- * for a given user that can be reached by @fromsid.
- * Set *@sids to point to a dynamically allocated
- * array containing the set of SIDs.  Set *@nel to the
- * number of elements in the array.
- */
-
-int security_get_user_sids(u32 fromsid,
-			   const char *username,
-			   u32 **sids,
-			   u32 *nel)
-{
-	struct selinux_policy *policy;
-	struct policydb *policydb;
-	struct sidtab *sidtab;
-	struct context *fromcon, usercon;
-	u32 *mysids = NULL, *mysids2, sid;
-	u32 i, j, mynel, maxnel = SIDS_NEL;
-	struct user_datum *user;
-	struct role_datum *role;
-	struct ebitmap_node *rnode, *tnode;
-	int rc;
-
-	*sids = NULL;
-	*nel = 0;
-
-	if (!selinux_initialized())
-		return 0;
-
-	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);
-	if (!mysids)
-		return -ENOMEM;
-
-retry:
-	mynel = 0;
-	rcu_read_lock();
-	policy = rcu_dereference(selinux_state.policy);
-	policydb = &policy->policydb;
-	sidtab = policy->sidtab;
-
-	context_init(&usercon);
-
-	rc = -EINVAL;
-	fromcon = sidtab_search(sidtab, fromsid);
-	if (!fromcon)
-		goto out_unlock;
-
-	rc = -EINVAL;
-	user = symtab_search(&policydb->p_users, username);
-	if (!user)
-		goto out_unlock;
-
-	usercon.user = user->value;
-
-	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
-		role = policydb->role_val_to_struct[i];
-		usercon.role = i + 1;
-		ebitmap_for_each_positive_bit(&role->types, tnode, j) {
-			usercon.type = j + 1;
-
-			if (mls_setup_user_range(policydb, fromcon, user,
-						 &usercon))
-				continue;
-
-			rc = sidtab_context_to_sid(sidtab, &usercon, &sid);
-			if (rc == -ESTALE) {
-				rcu_read_unlock();
-				goto retry;
-			}
-			if (rc)
-				goto out_unlock;
-			if (mynel < maxnel) {
-				mysids[mynel++] = sid;
-			} else {
-				rc = -ENOMEM;
-				maxnel += SIDS_NEL;
-				mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
-				if (!mysids2)
-					goto out_unlock;
-				memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
-				kfree(mysids);
-				mysids = mysids2;
-				mysids[mynel++] = sid;
-			}
-		}
-	}
-	rc = 0;
-out_unlock:
-	rcu_read_unlock();
-	if (rc || !mynel) {
-		kfree(mysids);
-		return rc;
-	}
-
-	rc = -ENOMEM;
-	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
-	if (!mysids2) {
-		kfree(mysids);
-		return rc;
-	}
-	for (i = 0, j = 0; i < mynel; i++) {
-		struct av_decision dummy_avd;
-		rc = avc_has_perm_noaudit(fromsid, mysids[i],
-					  SECCLASS_PROCESS, /* kernel value */
-					  PROCESS__TRANSITION, AVC_STRICT,
-					  &dummy_avd);
-		if (!rc)
-			mysids2[j++] = mysids[i];
-		cond_resched();
-	}
-	kfree(mysids);
-	*sids = mysids2;
-	*nel = j;
-	return 0;
-}
-
 /**
  * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
  * @policy: policy
-- 
2.54.0

Re: [PATCH v2 3/3] selinux: prune /sys/fs/selinux/user

[Paul Moore]

On Apr 29, 2026 Stephen Smalley <stephen.smalley.work@gmail.com> wrote:
> 
> Finish removal of the /sys/fs/selinux/user interface aside from a
> residual stub for userspace compatibility.
> 
> Commit d7b6918e22c7 ("selinux: Deprecate /sys/fs/selinux/user") started
> the deprecation process for /sys/fs/selinux/user:
> 
>     The selinuxfs "user" node allows userspace to request a list
>     of security contexts that can be reached for a given SELinux
>     user from a given starting context. This was used by libselinux
>     when various login-style programs requested contexts for
>     users, but libselinux stopped using it in 2020.
>     Kernel support will be removed no sooner than Dec 2025.
> 
> A pr_warn() message has been in place since Linux v6.13, and a 5
> second sleep was introduced since Linux v6.17 to help make it more
> noticeable.
> 
> We are now past the stated deadline of Dec 2025, so remove the
> underlying functionality and replace it with a stub that returns a
> '0\0' buffer to avoid breaking userspace. This also avoids a local DoS
> from logspam.
> 
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  .../{obsolete => removed}/sysfs-selinux-user  |   0
>  security/selinux/include/security.h           |   2 -
>  security/selinux/selinuxfs.c                  |  66 +--------
>  security/selinux/ss/services.c                | 125 ------------------
>  4 files changed, 3 insertions(+), 190 deletions(-)
>  rename Documentation/ABI/{obsolete => removed}/sysfs-selinux-user (100%)

Again, please do the same thing here that was suggested in patch 1/3.

--
paul-moore.com

Re: [PATCH v2 0/3] selinux: prune deprecated interfaces

[Paul Moore]

On Wed, Apr 29, 2026 at 5:12 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> *** BLURB HERE ***

*** REPLY HERE ***

> Stephen Smalley (3):
>   selinux: prune /sys/fs/selinux/checkreqprot
>   selinux: prune /sys/fs/selinux/disable
>   selinux: prune /sys/fs/selinux/user
>
>  .../{obsolete => removed}/sysfs-selinux-user  |   0
>  security/selinux/include/security.h           |   2 -
>  security/selinux/selinuxfs.c                  | 145 ++----------------
>  security/selinux/ss/services.c                | 125 ---------------
>  4 files changed, 13 insertions(+), 259 deletions(-)
>  rename Documentation/ABI/{obsolete => removed}/sysfs-selinux-user (100%)
>
> --
> 2.54.0

-- 
paul-moore.com

Re: [PATCH v2 0/3] selinux: prune deprecated interfaces

[Stephen Smalley]

On Wed, Apr 29, 2026 at 5:30 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Wed, Apr 29, 2026 at 5:12 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > *** BLURB HERE ***
>
> *** REPLY HERE ***

Sorry about that - thought it would pick up the same cover note that I
used previously. Don't think it is worth re-posting just for the cover
letter.
As before, this series prunes already deprecated selinuxfs interfaces
but unlike the previous version leaves the selinuxfs nodes intact and
just returns a non-error status of the appropriate form to avoid
breaking userspace. Only one I'm not 100% sure about is
/sys/fs/selinux/user;
I didn't have a system with an old enough libselinux to test its
effect on e.g. pam_selinux and friends.

>
> > Stephen Smalley (3):
> >   selinux: prune /sys/fs/selinux/checkreqprot
> >   selinux: prune /sys/fs/selinux/disable
> >   selinux: prune /sys/fs/selinux/user
> >
> >  .../{obsolete => removed}/sysfs-selinux-user  |   0
> >  security/selinux/include/security.h           |   2 -
> >  security/selinux/selinuxfs.c                  | 145 ++----------------
> >  security/selinux/ss/services.c                | 125 ---------------
> >  4 files changed, 13 insertions(+), 259 deletions(-)
> >  rename Documentation/ABI/{obsolete => removed}/sysfs-selinux-user (100%)
> >
> > --
> > 2.54.0
>
> --
> paul-moore.com

Re: [PATCH v2 0/3] selinux: prune deprecated interfaces

[Stephen Smalley]

On Thu, Apr 30, 2026 at 8:01 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> Sorry about that - thought it would pick up the same cover note that I
> used previously. Don't think it is worth re-posting just for the cover
> letter.
> As before, this series prunes already deprecated selinuxfs interfaces
> but unlike the previous version leaves the selinuxfs nodes intact and
> just returns a non-error status of the appropriate form to avoid
> breaking userspace. Only one I'm not 100% sure about is
> /sys/fs/selinux/user;
> I didn't have a system with an old enough libselinux to test its
> effect on e.g. pam_selinux and friends.

I've confirmed that even RHEL 8 has stopped using
/sys/fs/selinux/user, so I don't believe there are any still-supported
versions of RHEL
that were depending on it.