ACK: [B/linux-kvm][SRU][PATCH 1/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
Stefan Bader
stefan.bader at canonical.com
Mon Jan 21 14:35:04 UTC 2019
On 17.01.19 07:24, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1812153
>
> CONFIG_SECURITY_SELINUX_DISABLE is expected to be disabled.
>
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
>
> Disable it to match the requirement in the kernel-security test suite.
>
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> debian.kvm/config/config.common.ubuntu | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu
> index 2fc1963..df0e13b 100644
> --- a/debian.kvm/config/config.common.ubuntu
> +++ b/debian.kvm/config/config.common.ubuntu
> @@ -2101,7 +2101,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> -CONFIG_SECURITY_SELINUX_DISABLE=y
> +# CONFIG_SECURITY_SELINUX_DISABLE is not set
> # CONFIG_SECURITY_SELINUX_STACKED is not set
> CONFIG_SECURITY_SMACK=y
> # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20190121/7e350c1c/attachment.sig>
More information about the kernel-team
mailing list