[PATCH] Enable SELinux via boot parameter

From: James Morris <jmorris@redhat.com>

This patch adds an 'selinux' boot parameter which must be used to actually
enable SELinux.

It follows some internal discussion about deployment issues, where a vendor
would want to ship a single kernel image with SELinux built-in, without
requiring the user to use it.

Without specifying selinux=1 as a boot parameter, SELinux will not register
with LSM and selinuxfs will not be registered as a filesystem.  This causes
SELinux to be bypassed entirely from then on, and no performance overhead
is imposed.  Other security modules may then also be loaded if needed.

3 files changed, 21 insertions, 2 deletions

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 3bc431d4617f..ac4d772d77ad 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -3,11 +3,14 @@ config SECURITY_SELINUX
 	depends on SECURITY
 	default n
 	help
-	  This enables NSA Security-Enhanced Linux (SELinux).
+	  This selects NSA Security-Enhanced Linux (SELinux).
 	  You will also need a policy configuration and a labeled filesystem.
 	  You can obtain the policy compiler (checkpolicy), the utility for
 	  labeling filesystems (setfiles), and an example policy configuration
 	  from http://www.nsa.gov/selinux.
+	  SELinux needs to be explicitly enabled on the kernel command line with
+	  selinux=1.  If you specify selinux=0 or do not use this parameter,
+	  SELinux will not be enabled.
 	  If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fc514f4517e9..d8c724a9ec7c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -73,6 +73,15 @@ static int __init enforcing_setup(char *str)
 __setup("enforcing=", enforcing_setup);
 #endif
 
+int selinux_enabled = 0;
+
+static int __init selinux_enabled_setup(char *str)
+{
+	selinux_enabled = simple_strtol(str, NULL, 0);
+	return 1;
+}
+__setup("selinux=", selinux_enabled_setup);
+
 /* Original (dummy) security module. */
 static struct security_operations *original_ops = NULL;
 
@@ -3347,6 +3356,11 @@ __init int selinux_init(void)
 {
 	struct task_security_struct *tsec;
 
+	if (!selinux_enabled) {
+		printk(KERN_INFO "SELinux:  Not enabled at boot.\n");
+		return 0;
+	}
+
 	printk(KERN_INFO "SELinux:  Initializing.\n");
 
 	/* Set the security state for the initial task. */
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 1b3aa3f62782..8fa2533b0042 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -17,6 +17,8 @@
 #include "security.h"
 #include "objsec.h"
 
+extern int selinux_enabled;
+
 /* Check whether a task is allowed to use a security operation. */
 int task_has_security(struct task_struct *tsk,
 		      u32 perms)
@@ -587,7 +589,7 @@ static struct file_system_type sel_fs_type = {
 
 static int __init init_sel_fs(void)
 {
-	return register_filesystem(&sel_fs_type);
+	return selinux_enabled ? register_filesystem(&sel_fs_type) : 0;
 }
 
 __initcall(init_sel_fs);