From: James Morris This patch against current bk makes the recently added SELinux boot parameter feature a configurable option, and enables SELinux by default when selected. These changes were made following feedback including discussion on the SELinux list. The rationale for the changes is to allow SELinux to be be configured and enabled unconditionally. If the boot parameter option is selected, then SELinux is now enabled unless selinux=0 is specified at the kernel command line. 25-akpm/security/selinux/Kconfig | 17 ++++++++++++++--- 25-akpm/security/selinux/hooks.c | 6 ++++-- 25-akpm/security/selinux/include/security.h | 6 ++++++ 25-akpm/security/selinux/selinuxfs.c | 2 -- 4 files changed, 24 insertions(+), 7 deletions(-) diff -puN security/selinux/hooks.c~selinux-option-config-option security/selinux/hooks.c --- 25/security/selinux/hooks.c~selinux-option-config-option Thu Sep 4 11:08:12 2003 +++ 25-akpm/security/selinux/hooks.c Thu Sep 4 11:08:12 2003 @@ -73,7 +73,8 @@ static int __init enforcing_setup(char * __setup("enforcing=", enforcing_setup); #endif -int selinux_enabled = 0; +#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM +int selinux_enabled = 1; static int __init selinux_enabled_setup(char *str) { @@ -81,6 +82,7 @@ static int __init selinux_enabled_setup( return 1; } __setup("selinux=", selinux_enabled_setup); +#endif /* Original (dummy) security module. */ static struct security_operations *original_ops = NULL; @@ -3357,7 +3359,7 @@ __init int selinux_init(void) struct task_security_struct *tsec; if (!selinux_enabled) { - printk(KERN_INFO "SELinux: Not enabled at boot.\n"); + printk(KERN_INFO "SELinux: Disabled at boot.\n"); return 0; } diff -puN security/selinux/include/security.h~selinux-option-config-option security/selinux/include/security.h --- 25/security/selinux/include/security.h~selinux-option-config-option Thu Sep 4 11:08:12 2003 +++ 25-akpm/security/selinux/include/security.h Thu Sep 4 11:08:12 2003 @@ -14,6 +14,12 @@ #define SELINUX_MAGIC 0xf97cff8c +#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM +extern int selinux_enabled; +#else +#define selinux_enabled 1 +#endif + int security_load_policy(void * data, size_t len); struct av_decision { diff -puN security/selinux/Kconfig~selinux-option-config-option security/selinux/Kconfig --- 25/security/selinux/Kconfig~selinux-option-config-option Thu Sep 4 11:08:12 2003 +++ 25-akpm/security/selinux/Kconfig Thu Sep 4 11:08:12 2003 @@ -8,9 +8,20 @@ config SECURITY_SELINUX You can obtain the policy compiler (checkpolicy), the utility for labeling filesystems (setfiles), and an example policy configuration from http://www.nsa.gov/selinux. - SELinux needs to be explicitly enabled on the kernel command line with - selinux=1. If you specify selinux=0 or do not use this parameter, - SELinux will not be enabled. + If you are unsure how to answer this question, answer N. + +config SECURITY_SELINUX_BOOTPARAM + bool "NSA SELinux boot parameter" + depends on SECURITY_SELINUX + default n + help + This option adds a kernel parameter 'selinux', which allows SELinux + to be disabled at boot. If this option is selected, SELinux + functionality can be disabled with selinux=0 on the kernel + command line. The purpose of this option is to allow a single + kernel image to be distributed with SELinux built in, but not + necessarily enabled. + If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_DEVELOP diff -puN security/selinux/selinuxfs.c~selinux-option-config-option security/selinux/selinuxfs.c --- 25/security/selinux/selinuxfs.c~selinux-option-config-option Thu Sep 4 11:08:12 2003 +++ 25-akpm/security/selinux/selinuxfs.c Thu Sep 4 11:08:12 2003 @@ -17,8 +17,6 @@ #include "security.h" #include "objsec.h" -extern int selinux_enabled; - /* Check whether a task is allowed to use a security operation. */ int task_has_security(struct task_struct *tsk, u32 perms) _