Commit de4716fd authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] Enable SELinux via boot parameter

From: James Morris <jmorris@redhat.com>

This patch adds an 'selinux' boot parameter which must be used to actually
enable SELinux.

It follows some internal discussion about deployment issues, where a vendor
would want to ship a single kernel image with SELinux built-in, without
requiring the user to use it.

Without specifying selinux=1 as a boot parameter, SELinux will not register
with LSM and selinuxfs will not be registered as a filesystem.  This causes
SELinux to be bypassed entirely from then on, and no performance overhead
is imposed.  Other security modules may then also be loaded if needed.
parent 046dbb49
......@@ -3,11 +3,14 @@ config SECURITY_SELINUX
depends on SECURITY
default n
help
This enables NSA Security-Enhanced Linux (SELinux).
This selects NSA Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
You can obtain the policy compiler (checkpolicy), the utility for
labeling filesystems (setfiles), and an example policy configuration
from http://www.nsa.gov/selinux.
SELinux needs to be explicitly enabled on the kernel command line with
selinux=1. If you specify selinux=0 or do not use this parameter,
SELinux will not be enabled.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP
......
......@@ -73,6 +73,15 @@ static int __init enforcing_setup(char *str)
__setup("enforcing=", enforcing_setup);
#endif
int selinux_enabled = 0;
static int __init selinux_enabled_setup(char *str)
{
selinux_enabled = simple_strtol(str, NULL, 0);
return 1;
}
__setup("selinux=", selinux_enabled_setup);
/* Original (dummy) security module. */
static struct security_operations *original_ops = NULL;
......@@ -3347,6 +3356,11 @@ __init int selinux_init(void)
{
struct task_security_struct *tsec;
if (!selinux_enabled) {
printk(KERN_INFO "SELinux: Not enabled at boot.\n");
return 0;
}
printk(KERN_INFO "SELinux: Initializing.\n");
/* Set the security state for the initial task. */
......
......@@ -17,6 +17,8 @@
#include "security.h"
#include "objsec.h"
extern int selinux_enabled;
/* Check whether a task is allowed to use a security operation. */
int task_has_security(struct task_struct *tsk,
u32 perms)
......@@ -587,7 +589,7 @@ static struct file_system_type sel_fs_type = {
static int __init init_sel_fs(void)
{
return register_filesystem(&sel_fs_type);
return selinux_enabled ? register_filesystem(&sel_fs_type) : 0;
}
__initcall(init_sel_fs);
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment