Re: [PATCH] [LSM] Rework LSM hooks

From: Chris Wright
Date: Tue Aug 10 2004 - 15:48:10 EST

Next message: Ian Hastie: "Re: IDE hackery: lock fixes and hotplug controller stuff"
Previous message: Matt Domsch: "Re: [PATCH] reserved buffers only for PF_MEMALLOC"
In reply to: James Morris: "Re: [PATCH] [LSM] Rework LSM hooks"
Next in thread: James Morris: "Re: [PATCH] [LSM] Rework LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* James Morris (jmorris@xxxxxxxxxx) wrote:
> On Tue, 10 Aug 2004, Chris Wright wrote:
>
> > * James Morris (jmorris@xxxxxxxxxx) wrote:
> > > On Tue, 10 Aug 2004, Kurt Garloff wrote:
> > > > The first patch patch does just change the selinux default; so you
> > > > need to enable with selinux=1.
> > >
> > > This issue has been through a couple of iterations and the current scheme
> > > where if you have SELinux enabled, it is on by default, is aimed at being
> > > more secure by default. On some platforms, boot parameters are not
> > > feasible. To allow SELinux to be disable for these, the /selinux/disable
> > > node was implemented, which allows SELinux to be unregistered during boot.
> > > I suggest you investigate using this; look at what Fedora does.
> >
> > Could make selinux_enabled value configurable. I don't really like the
> > extra configuration, but if it's more vendor neutral to have config
> > not only control if you can have bootparam, but also default value,
> > then perhaps it'd be useful.
>
> Config option sounds fine to me.

I'll push this up, unless there's an objection.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net

===== security/selinux/Kconfig 1.6 vs edited =====
--- 1.6/security/selinux/Kconfig 2004-06-01 02:27:56 -07:00
+++ edited/security/selinux/Kconfig 2004-08-10 13:39:43 -07:00
@@ -24,6 +24,21 @@

If you are unsure how to answer this question, answer N.

+config SECURITY_SELINUX_BOOTPARAM_VALUE
+ int "NSA SELinux boot parameter default value"
+ depends on SECURITY_SELINUX_BOOTPARAM
+ range 0 1
+ default 1
+ help
+ This option sets the default value for the kernel parameter
+ 'selinux', which allows SELinux to be disabled at boot. If this
+ option is set to 0 (zero), the SELinux kernel parameter will
+ default to 0, disabling SELinux at bootup. If this option is
+ set to 1 (one), the SELinux kernel paramater will default to 1,
+ enabling SELinux at bootup.
+
+ If you are unsure how to answer this question, answer 1.
+
config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX
===== security/selinux/hooks.c 1.53 vs edited =====
--- 1.53/security/selinux/hooks.c 2004-07-28 21:58:32 -07:00
+++ edited/security/selinux/hooks.c 2004-08-10 13:44:00 -07:00
@@ -87,7 +87,7 @@
#endif

#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
-int selinux_enabled = 1;
+int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;

static int __init selinux_enabled_setup(char *str)
{
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ian Hastie: "Re: IDE hackery: lock fixes and hotplug controller stuff"
Previous message: Matt Domsch: "Re: [PATCH] reserved buffers only for PF_MEMALLOC"
In reply to: James Morris: "Re: [PATCH] [LSM] Rework LSM hooks"
Next in thread: James Morris: "Re: [PATCH] [LSM] Rework LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]