[B/linux-azure,SRU,1/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
diff mbox series

Message ID 20190131120406.22391-2-po-hsu.lin@canonical.com
State New
Headers show
Series
  • [B/linux-azure,SRU,1/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
Related show

Commit Message

Po-Hsu Lin Jan. 31, 2019, 12:04 p.m. 
BugLink: https://bugs.launchpad.net/bugs/1813866

This option allows disabling selinux after boot and it will conflict
with read-only LSM structures. Since Ubuntu is primarily using AppArmor
for its LSM, it makes sense to drop this feature in favor of the
protections offered by __ro_after_init markings on the LSM structures.
(LP: #1680315)

Disable it to match the requirement in the kernel-security test suite.

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 debian.azure/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch
diff mbox series 

diff --git a/debian.azure/config/config.common.ubuntu b/debian.azure/config/config.common.ubuntu
index 77d1e17..c22cd79 100644
--- a/debian.azure/config/config.common.ubuntu
+++ b/debian.azure/config/config.common.ubuntu
@@ -4046,7 +4046,7 @@  CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_DISABLE=y
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
 # CONFIG_SECURITY_SELINUX_STACKED is not set
 CONFIG_SECURITY_SMACK=y
 CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y