mbox series

[B/linux-azure,C/linux-azure,SRU,0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Message ID 20190131120406.22391-1-po-hsu.lin@canonical.com
Headers show
Series UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE | expand

Message

Po-Hsu Lin Jan. 31, 2019, 12:04 p.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/1813866

This option allows disabling selinux after boot and it will conflict
with read-only LSM structures. Since Ubuntu is primarily using AppArmor
for its LSM, it makes sense to drop this feature in favor of the
protections offered by __ro_after_init markings on the LSM structures.
(LP: #1680315)

Disable it to match the requirement in the kernel-security test suite.

Po-Hsu Lin (1):
  UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

 debian.azure/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stefan Bader Feb. 1, 2019, 12:53 p.m. UTC | #1 
On 31.01.19 13:04, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1813866
> 
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
> 
> Disable it to match the requirement in the kernel-security test suite.
> 
> Po-Hsu Lin (1):
>   UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
> 
>  debian.azure/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Khalid Elmously Feb. 4, 2019, 5:05 a.m. UTC | #2 
On 2019-01-31 20:04:04 , Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1813866
> 
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
> 
> Disable it to match the requirement in the kernel-security test suite.
> 
> Po-Hsu Lin (1):
>   UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
> 
>  debian.azure/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 

Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
Kleber Sacilotto de Souza Feb. 4, 2019, 2:55 p.m. UTC | #3 
On 1/31/19 1:04 PM, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1813866
>
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
>
> Disable it to match the requirement in the kernel-security test suite.
>
> Po-Hsu Lin (1):
>   UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
>
>  debian.azure/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
Applied to bionic/linux-azure/master-next and
cosmic/linux-azure/master-next branches.

Thanks,
Kleber