Commit beb12afa authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] make selinux enable param config option, enabled by

From: James Morris <jmorris@redhat.com>

This patch against current bk makes the recently added SELinux boot
parameter feature a configurable option, and enables SELinux by default
when selected.  These changes were made following feedback including 
discussion on the SELinux list.

The rationale for the changes is to allow SELinux to be be configured and
enabled unconditionally.  If the boot parameter option is selected, then
SELinux is now enabled unless selinux=0 is specified at the kernel command
line.
parent 94c5d6eb
...@@ -8,9 +8,20 @@ config SECURITY_SELINUX ...@@ -8,9 +8,20 @@ config SECURITY_SELINUX
You can obtain the policy compiler (checkpolicy), the utility for You can obtain the policy compiler (checkpolicy), the utility for
labeling filesystems (setfiles), and an example policy configuration labeling filesystems (setfiles), and an example policy configuration
from http://www.nsa.gov/selinux. from http://www.nsa.gov/selinux.
SELinux needs to be explicitly enabled on the kernel command line with If you are unsure how to answer this question, answer N.
selinux=1. If you specify selinux=0 or do not use this parameter,
SELinux will not be enabled. config SECURITY_SELINUX_BOOTPARAM
bool "NSA SELinux boot parameter"
depends on SECURITY_SELINUX
default n
help
This option adds a kernel parameter 'selinux', which allows SELinux
to be disabled at boot. If this option is selected, SELinux
functionality can be disabled with selinux=0 on the kernel
command line. The purpose of this option is to allow a single
kernel image to be distributed with SELinux built in, but not
necessarily enabled.
If you are unsure how to answer this question, answer N. If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP config SECURITY_SELINUX_DEVELOP
......
...@@ -73,7 +73,8 @@ static int __init enforcing_setup(char *str) ...@@ -73,7 +73,8 @@ static int __init enforcing_setup(char *str)
__setup("enforcing=", enforcing_setup); __setup("enforcing=", enforcing_setup);
#endif #endif
int selinux_enabled = 0; #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
int selinux_enabled = 1;
static int __init selinux_enabled_setup(char *str) static int __init selinux_enabled_setup(char *str)
{ {
...@@ -81,6 +82,7 @@ static int __init selinux_enabled_setup(char *str) ...@@ -81,6 +82,7 @@ static int __init selinux_enabled_setup(char *str)
return 1; return 1;
} }
__setup("selinux=", selinux_enabled_setup); __setup("selinux=", selinux_enabled_setup);
#endif
/* Original (dummy) security module. */ /* Original (dummy) security module. */
static struct security_operations *original_ops = NULL; static struct security_operations *original_ops = NULL;
...@@ -3357,7 +3359,7 @@ __init int selinux_init(void) ...@@ -3357,7 +3359,7 @@ __init int selinux_init(void)
struct task_security_struct *tsec; struct task_security_struct *tsec;
if (!selinux_enabled) { if (!selinux_enabled) {
printk(KERN_INFO "SELinux: Not enabled at boot.\n"); printk(KERN_INFO "SELinux: Disabled at boot.\n");
return 0; return 0;
} }
......
...@@ -14,6 +14,12 @@ ...@@ -14,6 +14,12 @@
#define SELINUX_MAGIC 0xf97cff8c #define SELINUX_MAGIC 0xf97cff8c
#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
extern int selinux_enabled;
#else
#define selinux_enabled 1
#endif
int security_load_policy(void * data, size_t len); int security_load_policy(void * data, size_t len);
struct av_decision { struct av_decision {
......
...@@ -17,8 +17,6 @@ ...@@ -17,8 +17,6 @@
#include "security.h" #include "security.h"
#include "objsec.h" #include "objsec.h"
extern int selinux_enabled;
/* Check whether a task is allowed to use a security operation. */ /* Check whether a task is allowed to use a security operation. */
int task_has_security(struct task_struct *tsk, int task_has_security(struct task_struct *tsk,
u32 perms) u32 perms)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment