[PATCH] Enable SELinux via boot parameter

From: James Morris <jmorris@redhat.com> This patch adds an 'selinux' boot parameter which must be used to actually enable SELinux. It follows some internal discussion about deployment issues, where a vendor would want to ship a single kernel image with SELinux built-in, without requiring the user to use it. Without specifying selinux=1 as a boot parameter, SELinux will not register with LSM and selinuxfs will not be registered as a filesystem. This causes SELinux to be bypassed entirely from then on, and no performance overhead is imposed. Other security modules may then also be loaded if needed.

[PATCH] Enable SELinux via boot parameter
From: James Morris <jmorris@redhat.com> This patch adds an 'selinux' boot parameter which must be used to actually enable SELinux. It follows some internal discussion about deployment issues, where a vendor would want to ship a single kernel image with SELinux built-in, without requiring the user to use it. Without specifying selinux=1 as a boot parameter, SELinux will not register with LSM and selinuxfs will not be registered as a filesystem. This causes SELinux to be bypassed entirely from then on, and no performance overhead is imposed. Other security modules may then also be loaded if needed.
de4716fd · Andrew Morton · Linus Torvalds · 046dbb49 · de4716fd · de4716fd
Commit de4716fd authored Sep 03, 2003 by Andrew Morton Committed by Linus Torvalds Sep 03, 2003
Showing with 21 additions and 2 deletions

security/selinux/Kconfig security/selinux/Kconfig +4 -1

security/selinux/hooks.c security/selinux/hooks.c +14 -0

security/selinux/selinuxfs.c security/selinux/selinuxfs.c +3 -1

No files found.
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -3,11 +3,14 @@ config SECURITY_SELINUX
 	depends on SECURITY
 	default n
 	help
-	  This enables NSA Security-Enhanced Linux (SELinux).
+	  This selects NSA Security-Enhanced Linux (SELinux).
 	  You will also need a policy configuration and a labeled filesystem.
 	  You can obtain the policy compiler (checkpolicy), the utility for
 	  labeling filesystems (setfiles), and an example policy configuration
 	  from http://www.nsa.gov/selinux.
+	  SELinux needs to be explicitly enabled on the kernel command line with
+	  selinux=1.  If you specify selinux=0 or do not use this parameter,
+	  SELinux will not be enabled.
 	  If you are unsure how to answer this question, answer N.

 config SECURITY_SELINUX_DEVELOP

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -73,6 +73,15 @@ static int __init enforcing_setup(char *str)
 __setup("enforcing=", enforcing_setup);
 #endif

+int selinux_enabled = 0;
+
+static int __init selinux_enabled_setup(char *str)
+{
+	selinux_enabled = simple_strtol(str, NULL, 0);
+	return 1;
+}
+__setup("selinux=", selinux_enabled_setup);
+
 /* Original (dummy) security module. */
 static struct security_operations *original_ops = NULL;

@@ -3347,6 +3356,11 @@ __init int selinux_init(void)
 {
 	struct task_security_struct *tsec;

+	if (!selinux_enabled) {
+		printk(KERN_INFO "SELinux:  Not enabled at boot.\n");
+		return 0;
+	}
+
 	printk(KERN_INFO "SELinux:  Initializing.\n");

 	/* Set the security state for the initial task. */

--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -17,6 +17,8 @@
 #include "security.h"
 #include "objsec.h"

+extern int selinux_enabled;
+
 /* Check whether a task is allowed to use a security operation. */
 int task_has_security(struct task_struct *tsk,
 		      u32 perms)
@@ -587,7 +589,7 @@ static struct file_system_type sel_fs_type = {

 static int __init init_sel_fs(void)
 {
-	return register_filesystem(&sel_fs_type);
+	return selinux_enabled ? register_filesystem(&sel_fs_type) : 0;
 }

 __initcall(init_sel_fs);