2003-09-04 16:42:25

by James Morris

[permalink] [raw]
Subject: [PATCH][SELINUX] make selinux enable param config option, enabled by default

This patch against current bk makes the recently added SELinux boot
parameter feature a configurable option, and enables SELinux by default
when selected. These changes were made following feedback including
discussion on the SELinux list.

The rationale for the changes is to allow SELinux to be be configured and
enabled unconditionally. If the boot parameter option is selected, then
SELinux is now enabled unless selinux=0 is specified at the kernel command
line.

Please apply.

- James
--
James Morris
<[email protected]>


diff -urN -X dontdiff bk26.orig/security/selinux/hooks.c bk26.w1/security/selinux/hooks.c
--- bk26.orig/security/selinux/hooks.c 2003-09-05 02:03:13.000000000 +1000
+++ bk26.w1/security/selinux/hooks.c 2003-09-05 02:17:24.000000000 +1000
@@ -73,7 +73,8 @@
__setup("enforcing=", enforcing_setup);
#endif

-int selinux_enabled = 0;
+#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
+int selinux_enabled = 1;

static int __init selinux_enabled_setup(char *str)
{
@@ -81,6 +82,7 @@
return 1;
}
__setup("selinux=", selinux_enabled_setup);
+#endif

/* Original (dummy) security module. */
static struct security_operations *original_ops = NULL;
@@ -3357,7 +3359,7 @@
struct task_security_struct *tsec;

if (!selinux_enabled) {
- printk(KERN_INFO "SELinux: Not enabled at boot.\n");
+ printk(KERN_INFO "SELinux: Disabled at boot.\n");
return 0;
}

diff -urN -X dontdiff bk26.orig/security/selinux/include/security.h bk26.w1/security/selinux/include/security.h
--- bk26.orig/security/selinux/include/security.h 2003-09-05 02:02:55.000000000 +1000
+++ bk26.w1/security/selinux/include/security.h 2003-09-05 02:17:24.000000000 +1000
@@ -14,6 +14,12 @@

#define SELINUX_MAGIC 0xf97cff8c

+#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
+extern int selinux_enabled;
+#else
+#define selinux_enabled 1
+#endif
+
int security_load_policy(void * data, size_t len);

struct av_decision {
diff -urN -X dontdiff bk26.orig/security/selinux/Kconfig bk26.w1/security/selinux/Kconfig
--- bk26.orig/security/selinux/Kconfig 2003-09-05 02:02:55.000000000 +1000
+++ bk26.w1/security/selinux/Kconfig 2003-09-05 02:17:24.000000000 +1000
@@ -8,11 +8,22 @@
You can obtain the policy compiler (checkpolicy), the utility for
labeling filesystems (setfiles), and an example policy configuration
from http://www.nsa.gov/selinux.
- SELinux needs to be explicitly enabled on the kernel command line with
- selinux=1. If you specify selinux=0 or do not use this parameter,
- SELinux will not be enabled.
If you are unsure how to answer this question, answer N.

+config SECURITY_SELINUX_BOOTPARAM
+ bool "NSA SELinux boot parameter"
+ depends on SECURITY_SELINUX
+ default n
+ help
+ This option adds a kernel parameter 'selinux', which allows SELinux
+ to be disabled at boot. If this option is selected, SELinux
+ functionality can be disabled with selinux=0 on the kernel
+ command line. The purpose of this option is to allow a single
+ kernel image to be distributed with SELinux built in, but not
+ necessarily enabled.
+
+ If you are unsure how to answer this question, answer N.
+
config SECURITY_SELINUX_DEVELOP
bool "NSA SELinux Development Support"
depends on SECURITY_SELINUX
diff -urN -X dontdiff bk26.orig/security/selinux/selinuxfs.c bk26.w1/security/selinux/selinuxfs.c
--- bk26.orig/security/selinux/selinuxfs.c 2003-09-05 02:03:17.000000000 +1000
+++ bk26.w1/security/selinux/selinuxfs.c 2003-09-05 02:17:24.000000000 +1000
@@ -17,8 +17,6 @@
#include "security.h"
#include "objsec.h"

-extern int selinux_enabled;
-
/* Check whether a task is allowed to use a security operation. */
int task_has_security(struct task_struct *tsk,
u32 perms)