[C/linux-azure][SRU][PATCH 1/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
Po-Hsu Lin
po-hsu.lin at canonical.com
Thu Jan 31 12:04:06 UTC 2019
BugLink: https://bugs.launchpad.net/bugs/1813866
This option allows disabling selinux after boot and it will conflict
with read-only LSM structures. Since Ubuntu is primarily using AppArmor
for its LSM, it makes sense to drop this feature in favor of the
protections offered by __ro_after_init markings on the LSM structures.
(LP: #1680315)
Disable it to match the requirement in the kernel-security test suite.
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
debian.azure/config/config.common.ubuntu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian.azure/config/config.common.ubuntu b/debian.azure/config/config.common.ubuntu
index d79c408..89018bd 100644
--- a/debian.azure/config/config.common.ubuntu
+++ b/debian.azure/config/config.common.ubuntu
@@ -4045,7 +4045,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_DISABLE=y
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SMACK=y
CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
# CONFIG_SECURITY_SMACK_BRINGUP is not set
--
2.7.4
More information about the kernel-team
mailing list