From: James Morris <jmorris@redhat.com>

This patch adds an 'selinux' boot parameter which must be used to actually
enable SELinux.

It follows some internal discussion about deployment issues, where a vendor
would want to ship a single kernel image with SELinux built-in, without
requiring the user to use it.

Without specifying selinux=1 as a boot parameter, SELinux will not register
with LSM and selinuxfs will not be registered as a filesystem.  This causes
SELinux to be bypassed entirely from then on, and no performance overhead
is imposed.  Other security modules may then also be loaded if needed.