This patch adds an 'selinux' boot parameter which must be used to actually
enable SELinux.
It follows some internal discussion about deployment issues, where a vendor
would want to ship a single kernel image with SELinux built-in, without
requiring the user to use it.
Without specifying selinux=1 as a boot parameter, SELinux will not register
with LSM and selinuxfs will not be registered as a filesystem. This causes
SELinux to be bypassed entirely from then on, and no performance overhead
is imposed. Other security modules may then also be loaded if needed.
projects / history.git / commit