[PATCH] Enable SELinux via boot parameter

From: James Morris <jmorris@redhat.com>

This patch adds an 'selinux' boot parameter which must be used to actually
enable SELinux.

It follows some internal discussion about deployment issues, where a vendor
would want to ship a single kernel image with SELinux built-in, without
requiring the user to use it.

Without specifying selinux=1 as a boot parameter, SELinux will not register
with LSM and selinuxfs will not be registered as a filesystem.  This causes
SELinux to be bypassed entirely from then on, and no performance overhead
is imposed.  Other security modules may then also be loaded if needed.

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 3bc431d4617f38a78c49f6256432077b1ec196ac..ac4d772d77ad6aa83e0d41638370bbaa65d0ee24 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -3,11 +3,14 @@ config SECURITY_SELINUX
        depends on SECURITY
        default n
        help
-         This enables NSA Security-Enhanced Linux (SELinux).
+         This selects NSA Security-Enhanced Linux (SELinux).
          You will also need a policy configuration and a labeled filesystem.
          You can obtain the policy compiler (checkpolicy), the utility for
          labeling filesystems (setfiles), and an example policy configuration
          from http://www.nsa.gov/selinux.
+         SELinux needs to be explicitly enabled on the kernel command line with
+         selinux=1.  If you specify selinux=0 or do not use this parameter,
+         SELinux will not be enabled.
          If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fc514f4517e9fbcd80e66184e03fa5bfdab176d4..d8c724a9ec7cc955a2e84f171d6a5e57f15a9c4b 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -73,6 +73,15 @@ static int __init enforcing_setup(char *str)
 __setup("enforcing=", enforcing_setup);
 #endif
 
+int selinux_enabled = 0;
+
+static int __init selinux_enabled_setup(char *str)
+{
+       selinux_enabled = simple_strtol(str, NULL, 0);
+       return 1;
+}
+__setup("selinux=", selinux_enabled_setup);
+
 /* Original (dummy) security module. */
 static struct security_operations *original_ops = NULL;
 
@@ -3347,6 +3356,11 @@ __init int selinux_init(void)
 {
        struct task_security_struct *tsec;
 
+       if (!selinux_enabled) {
+               printk(KERN_INFO "SELinux:  Not enabled at boot.\n");
+               return 0;
+       }
+
        printk(KERN_INFO "SELinux:  Initializing.\n");
 
        /* Set the security state for the initial task. */

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 1b3aa3f627829dbcf87ec290ec21db657bb21a94..8fa2533b00420947f056dd8a1ebe6f42ca617662 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -17,6 +17,8 @@
 #include "security.h"
 #include "objsec.h"
 
+extern int selinux_enabled;
+
 /* Check whether a task is allowed to use a security operation. */
 int task_has_security(struct task_struct *tsk,
                      u32 perms)
@@ -587,7 +589,7 @@ static struct file_system_type sel_fs_type = {
 
 static int __init init_sel_fs(void)
 {
-       return register_filesystem(&sel_fs_type);
+       return selinux_enabled ? register_filesystem(&sel_fs_type) : 0;
 }
 
 __initcall(init_sel_fs);