[PATCH] make selinux enable param config option, enabled by

From: James Morris <jmorris@redhat.com> This patch against current bk makes the recently added SELinux boot parameter feature a configurable option, and enables SELinux by default when selected. These changes were made following feedback including discussion on the SELinux list. The rationale for the changes is to allow SELinux to be be configured and enabled unconditionally. If the boot parameter option is selected, then SELinux is now enabled unless selinux=0 is specified at the kernel command line.

[PATCH] make selinux enable param config option, enabled by
From: James Morris <jmorris@redhat.com> This patch against current bk makes the recently added SELinux boot parameter feature a configurable option, and enables SELinux by default when selected. These changes were made following feedback including discussion on the SELinux list. The rationale for the changes is to allow SELinux to be be configured and enabled unconditionally. If the boot parameter option is selected, then SELinux is now enabled unless selinux=0 is specified at the kernel command line.
beb12afa · Andrew Morton · Linus Torvalds · 94c5d6eb · beb12afa · beb12afa
Commit beb12afa authored Sep 09, 2003 by Andrew Morton Committed by Linus Torvalds Sep 09, 2003
4 changed files
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -8,9 +8,20 @@ config SECURITY_SELINUX
 	  You can obtain the policy compiler (checkpolicy), the utility for
 	  labeling filesystems (setfiles), and an example policy configuration
 	  from http://www.nsa.gov/selinux.
-	  SELinux needs to be explicitly enabled on the kernel command line with
-	  selinux=1.  If you specify selinux=0 or do not use this parameter,
-	  SELinux will not be enabled.
+	  If you are unsure how to answer this question, answer N.
+
+config SECURITY_SELINUX_BOOTPARAM
+	bool "NSA SELinux boot parameter"
+	depends on SECURITY_SELINUX
+	default n
+	help
+	  This option adds a kernel parameter 'selinux', which allows SELinux
+	  to be disabled at boot.  If this option is selected, SELinux
+	  functionality can be disabled with selinux=0 on the kernel
+	  command line.  The purpose of this option is to allow a single
+	  kernel image to be distributed with SELinux built in, but not
+	  necessarily enabled.
+
 	  If you are unsure how to answer this question, answer N.

 config SECURITY_SELINUX_DEVELOP

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -73,7 +73,8 @@ static int __init enforcing_setup(char *str)
 __setup("enforcing=", enforcing_setup);
 #endif

-int selinux_enabled = 0;
+#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
+int selinux_enabled = 1;

 static int __init selinux_enabled_setup(char *str)
 {
@@ -81,6 +82,7 @@ static int __init selinux_enabled_setup(char *str)
 	return 1;
 }
 __setup("selinux=", selinux_enabled_setup);
+#endif

 /* Original (dummy) security module. */
 static struct security_operations *original_ops = NULL;
@@ -3357,7 +3359,7 @@ __init int selinux_init(void)
 	struct task_security_struct *tsec;

 	if (!selinux_enabled) {
-		printk(KERN_INFO "SELinux:  Not enabled at boot.\n");
+		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
 		return 0;
 	}


--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -14,6 +14,12 @@

 #define SELINUX_MAGIC 0xf97cff8c

+#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
+extern int selinux_enabled;
+#else
+#define selinux_enabled 1
+#endif
+
 int security_load_policy(void * data, size_t len);

 struct av_decision {

--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -17,8 +17,6 @@
 #include "security.h"
 #include "objsec.h"

-extern int selinux_enabled;
-
 /* Check whether a task is allowed to use a security operation. */
 int task_has_security(struct task_struct *tsk,
 		      u32 perms)