From: James Morris This patch adds an 'selinux' boot parameter which must be used to actually enable SELinux. It follows some internal discussion about deployment issues, where a vendor would want to ship a single kernel image with SELinux built-in, without requiring the user to use it. Without specifying selinux=1 as a boot parameter, SELinux will not register with LSM and selinuxfs will not be registered as a filesystem. This causes SELinux to be bypassed entirely from then on, and no performance overhead is imposed. Other security modules may then also be loaded if needed. 25-akpm/security/selinux/Kconfig | 5 ++++- 25-akpm/security/selinux/hooks.c | 14 ++++++++++++++ 25-akpm/security/selinux/selinuxfs.c | 4 +++- 3 files changed, 21 insertions(+), 2 deletions(-) diff -puN security/selinux/hooks.c~enable-selinux-with-boot-parameter security/selinux/hooks.c --- 25/security/selinux/hooks.c~enable-selinux-with-boot-parameter Tue Sep 2 08:41:27 2003 +++ 25-akpm/security/selinux/hooks.c Tue Sep 2 08:41:27 2003 @@ -73,6 +73,15 @@ static int __init enforcing_setup(char * __setup("enforcing=", enforcing_setup); #endif +int selinux_enabled = 0; + +static int __init selinux_enabled_setup(char *str) +{ + selinux_enabled = simple_strtol(str, NULL, 0); + return 1; +} +__setup("selinux=", selinux_enabled_setup); + /* Original (dummy) security module. */ static struct security_operations *original_ops = NULL; @@ -3347,6 +3356,11 @@ __init int selinux_init(void) { struct task_security_struct *tsec; + if (!selinux_enabled) { + printk(KERN_INFO "SELinux: Not enabled at boot.\n"); + return 0; + } + printk(KERN_INFO "SELinux: Initializing.\n"); /* Set the security state for the initial task. */ diff -puN security/selinux/Kconfig~enable-selinux-with-boot-parameter security/selinux/Kconfig --- 25/security/selinux/Kconfig~enable-selinux-with-boot-parameter Tue Sep 2 08:41:27 2003 +++ 25-akpm/security/selinux/Kconfig Tue Sep 2 08:41:27 2003 @@ -3,11 +3,14 @@ config SECURITY_SELINUX depends on SECURITY default n help - This enables NSA Security-Enhanced Linux (SELinux). + This selects NSA Security-Enhanced Linux (SELinux). You will also need a policy configuration and a labeled filesystem. You can obtain the policy compiler (checkpolicy), the utility for labeling filesystems (setfiles), and an example policy configuration from http://www.nsa.gov/selinux. + SELinux needs to be explicitly enabled on the kernel command line with + selinux=1. If you specify selinux=0 or do not use this parameter, + SELinux will not be enabled. If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_DEVELOP diff -puN security/selinux/selinuxfs.c~enable-selinux-with-boot-parameter security/selinux/selinuxfs.c --- 25/security/selinux/selinuxfs.c~enable-selinux-with-boot-parameter Tue Sep 2 08:41:27 2003 +++ 25-akpm/security/selinux/selinuxfs.c Tue Sep 2 08:41:27 2003 @@ -17,6 +17,8 @@ #include "security.h" #include "objsec.h" +extern int selinux_enabled; + /* Check whether a task is allowed to use a security operation. */ int task_has_security(struct task_struct *tsk, u32 perms) @@ -587,7 +589,7 @@ static struct file_system_type sel_fs_ty static int __init init_sel_fs(void) { - return register_filesystem(&sel_fs_type); + return selinux_enabled ? register_filesystem(&sel_fs_type) : 0; } __initcall(init_sel_fs); _