[PATCH] make selinux enable param config option, enabled by

From: James Morris <jmorris@redhat.com>

This patch against current bk makes the recently added SELinux boot
parameter feature a configurable option, and enables SELinux by default
when selected.  These changes were made following feedback including 
discussion on the SELinux list.

The rationale for the changes is to allow SELinux to be be configured and
enabled unconditionally.  If the boot parameter option is selected, then
SELinux is now enabled unless selinux=0 is specified at the kernel command
line.

4 files changed, 24 insertions, 7 deletions

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index ac4d772d77ad6a..0c620fcae0e069 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -8,9 +8,20 @@ config SECURITY_SELINUX
 	  You can obtain the policy compiler (checkpolicy), the utility for
 	  labeling filesystems (setfiles), and an example policy configuration
 	  from http://www.nsa.gov/selinux.
-	  SELinux needs to be explicitly enabled on the kernel command line with
-	  selinux=1.  If you specify selinux=0 or do not use this parameter,
-	  SELinux will not be enabled.
+	  If you are unsure how to answer this question, answer N.
+
+config SECURITY_SELINUX_BOOTPARAM
+	bool "NSA SELinux boot parameter"
+	depends on SECURITY_SELINUX
+	default n
+	help
+	  This option adds a kernel parameter 'selinux', which allows SELinux
+	  to be disabled at boot.  If this option is selected, SELinux
+	  functionality can be disabled with selinux=0 on the kernel
+	  command line.  The purpose of this option is to allow a single
+	  kernel image to be distributed with SELinux built in, but not
+	  necessarily enabled.
+
 	  If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d8c724a9ec7cc9..d39090fea44872 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -73,7 +73,8 @@ static int __init enforcing_setup(char *str)
 __setup("enforcing=", enforcing_setup);
 #endif
 
-int selinux_enabled = 0;
+#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
+int selinux_enabled = 1;
 
 static int __init selinux_enabled_setup(char *str)
 {
@@ -81,6 +82,7 @@ static int __init selinux_enabled_setup(char *str)
 	return 1;
 }
 __setup("selinux=", selinux_enabled_setup);
+#endif
 
 /* Original (dummy) security module. */
 static struct security_operations *original_ops = NULL;
@@ -3357,7 +3359,7 @@ __init int selinux_init(void)
 	struct task_security_struct *tsec;
 
 	if (!selinux_enabled) {
-		printk(KERN_INFO "SELinux:  Not enabled at boot.\n");
+		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
 		return 0;
 	}
 
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ae7f66de89e55a..15b92012851e9a 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -14,6 +14,12 @@
 
 #define SELINUX_MAGIC 0xf97cff8c
 
+#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
+extern int selinux_enabled;
+#else
+#define selinux_enabled 1
+#endif
+
 int security_load_policy(void * data, size_t len);
 
 struct av_decision {
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 8fa2533b004209..0c0ea83d04568f 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -17,8 +17,6 @@
 #include "security.h"
 #include "objsec.h"
 
-extern int selinux_enabled;
-
 /* Check whether a task is allowed to use a security operation. */
 int task_has_security(struct task_struct *tsk,
 		      u32 perms)