Message ID | 20190117062447.20130-2-po-hsu.lin@canonical.com |
---|---|
State | New |
Headers | show |
Series | UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE | expand |
On 2019-01-17 14:24:47, Po-Hsu Lin wrote: > BugLink: https://bugs.launchpad.net/bugs/1812153 > > CONFIG_SECURITY_SELINUX_DISABLE is expected to be disabled. > > This option allows disabling selinux after boot and it will conflict > with read-only LSM structures. Since Ubuntu is primarily using AppArmor > for its LSM, it makes sense to drop this feature in favor of the > protections offered by __ro_after_init markings on the LSM structures. > (LP: #1680315) > > Disable it to match the requirement in the kernel-security test suite. > > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Tyler > --- > debian.kvm/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu > index 2fc1963..df0e13b 100644 > --- a/debian.kvm/config/config.common.ubuntu > +++ b/debian.kvm/config/config.common.ubuntu > @@ -2101,7 +2101,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 > CONFIG_SECURITY_SELINUX_DEVELOP=y > -CONFIG_SECURITY_SELINUX_DISABLE=y > +# CONFIG_SECURITY_SELINUX_DISABLE is not set > # CONFIG_SECURITY_SELINUX_STACKED is not set > CONFIG_SECURITY_SMACK=y > # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set > -- > 2.7.4 > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 17.01.19 07:24, Po-Hsu Lin wrote: > BugLink: https://bugs.launchpad.net/bugs/1812153 > > CONFIG_SECURITY_SELINUX_DISABLE is expected to be disabled. > > This option allows disabling selinux after boot and it will conflict > with read-only LSM structures. Since Ubuntu is primarily using AppArmor > for its LSM, it makes sense to drop this feature in favor of the > protections offered by __ro_after_init markings on the LSM structures. > (LP: #1680315) > > Disable it to match the requirement in the kernel-security test suite. > > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > debian.kvm/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu > index 2fc1963..df0e13b 100644 > --- a/debian.kvm/config/config.common.ubuntu > +++ b/debian.kvm/config/config.common.ubuntu > @@ -2101,7 +2101,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 > CONFIG_SECURITY_SELINUX_DEVELOP=y > -CONFIG_SECURITY_SELINUX_DISABLE=y > +# CONFIG_SECURITY_SELINUX_DISABLE is not set > # CONFIG_SECURITY_SELINUX_STACKED is not set > CONFIG_SECURITY_SMACK=y > # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set >
diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu index 2fc1963..df0e13b 100644 --- a/debian.kvm/config/config.common.ubuntu +++ b/debian.kvm/config/config.common.ubuntu @@ -2101,7 +2101,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 CONFIG_SECURITY_SELINUX_DEVELOP=y -CONFIG_SECURITY_SELINUX_DISABLE=y +# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_STACKED is not set CONFIG_SECURITY_SMACK=y # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
BugLink: https://bugs.launchpad.net/bugs/1812153 CONFIG_SECURITY_SELINUX_DISABLE is expected to be disabled. This option allows disabling selinux after boot and it will conflict with read-only LSM structures. Since Ubuntu is primarily using AppArmor for its LSM, it makes sense to drop this feature in favor of the protections offered by __ro_after_init markings on the LSM structures. (LP: #1680315) Disable it to match the requirement in the kernel-security test suite. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> --- debian.kvm/config/config.common.ubuntu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)