Re: [PATCH] [LSM] Rework LSM hooks

[James Morris]

On Tue, 10 Aug 2004, Chris Wright wrote:

> * James Morris (jmorris@xxxxxxxxxx) wrote:
> > On Tue, 10 Aug 2004, Kurt Garloff wrote:
> > > The first patch patch does just change the selinux default; so you
> > > need to enable with selinux=1.
> > 
> > This issue has been through a couple of iterations and the current scheme
> > where if you have SELinux enabled, it is on by default, is aimed at being
> > more secure by default.  On some platforms, boot parameters are not
> > feasible.  To allow SELinux to be disable for these, the /selinux/disable
> > node was implemented, which allows SELinux to be unregistered during boot.  
> > I suggest you investigate using this; look at what Fedora does.
> 
> Could make selinux_enabled value configurable.  I don't really like the
> extra configuration, but if it's more vendor neutral to have config
> not only control if you can have bootparam, but also default value,
> then perhaps it'd be useful.

Config option sounds fine to me.

- James
-- 
James Morris
<jmorris@xxxxxxxxxx>


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/