[B/linux-kvm,SRU,0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Message ID	20190117062447.20130-1-po-hsu.lin@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Po-Hsu Lin <po-hsu.lin@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [B/linux-kvm][SRU][PATCH 0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE Date: Thu, 17 Jan 2019 14:24:46 +0800 Message-Id: <20190117062447.20130-1-po-hsu.lin@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE \| expand [B/linux-kvm,SRU,0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE [B/linux-kvm,SRU,1/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Message ID

20190117062447.20130-1-po-hsu.lin@canonical.com

Headers

From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [B/linux-kvm][SRU][PATCH 0/1] UBUNTU: [Config]: disable
	CONFIG_SECURITY_SELINUX_DISABLE
Date: Thu, 17 Jan 2019 14:24:46 +0800
Message-Id: <20190117062447.20130-1-po-hsu.lin@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE | expand

Message

Po-Hsu Lin Jan. 17, 2019, 6:24 a.m. UTC

BugLink: https://bugs.launchpad.net/bugs/1812153

CONFIG_SECURITY_SELINUX_DISABLE is expected to be disabled.

This option allows disabling selinux after boot and it will conflict
with read-only LSM structures. Since Ubuntu is primarily using AppArmor
for its LSM, it makes sense to drop this feature in favor of the
protections offered by __ro_after_init markings on the LSM structures.
(LP: #1680315)

Disable it to match the requirement in the kernel-security test suite.

Po-Hsu Lin (1):
  UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

 debian.kvm/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Khalid Elmously Jan. 27, 2019, 11:55 p.m. UTC | #1

On 2019-01-17 14:24:46 , Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1812153
> 
> CONFIG_SECURITY_SELINUX_DISABLE is expected to be disabled.
> 
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
> 
> Disable it to match the requirement in the kernel-security test suite.
> 
> Po-Hsu Lin (1):
>   UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
> 
>  debian.kvm/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team