diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/Kconfig | 17 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 6 | ||||
| -rw-r--r-- | security/selinux/include/security.h | 6 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 2 |
4 files changed, 24 insertions, 7 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index ac4d772d77ad..0c620fcae0e0 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -8,9 +8,20 @@ config SECURITY_SELINUX You can obtain the policy compiler (checkpolicy), the utility for labeling filesystems (setfiles), and an example policy configuration from http://www.nsa.gov/selinux. - SELinux needs to be explicitly enabled on the kernel command line with - selinux=1. If you specify selinux=0 or do not use this parameter, - SELinux will not be enabled. + If you are unsure how to answer this question, answer N. + +config SECURITY_SELINUX_BOOTPARAM + bool "NSA SELinux boot parameter" + depends on SECURITY_SELINUX + default n + help + This option adds a kernel parameter 'selinux', which allows SELinux + to be disabled at boot. If this option is selected, SELinux + functionality can be disabled with selinux=0 on the kernel + command line. The purpose of this option is to allow a single + kernel image to be distributed with SELinux built in, but not + necessarily enabled. + If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_DEVELOP diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d8c724a9ec7c..d39090fea448 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -73,7 +73,8 @@ static int __init enforcing_setup(char *str) __setup("enforcing=", enforcing_setup); #endif -int selinux_enabled = 0; +#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM +int selinux_enabled = 1; static int __init selinux_enabled_setup(char *str) { @@ -81,6 +82,7 @@ static int __init selinux_enabled_setup(char *str) return 1; } __setup("selinux=", selinux_enabled_setup); +#endif /* Original (dummy) security module. */ static struct security_operations *original_ops = NULL; @@ -3357,7 +3359,7 @@ __init int selinux_init(void) struct task_security_struct *tsec; if (!selinux_enabled) { - printk(KERN_INFO "SELinux: Not enabled at boot.\n"); + printk(KERN_INFO "SELinux: Disabled at boot.\n"); return 0; } diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ae7f66de89e5..15b92012851e 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -14,6 +14,12 @@ #define SELINUX_MAGIC 0xf97cff8c +#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM +extern int selinux_enabled; +#else +#define selinux_enabled 1 +#endif + int security_load_policy(void * data, size_t len); struct av_decision { diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 8fa2533b0042..0c0ea83d0456 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -17,8 +17,6 @@ #include "security.h" #include "objsec.h" -extern int selinux_enabled; - /* Check whether a task is allowed to use a security operation. */ int task_has_security(struct task_struct *tsk, u32 perms) |