Message ID | 20190131120406.22391-3-po-hsu.lin@canonical.com |
---|---|
State | New |
Headers | show |
Series | UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE | expand |
diff --git a/debian.azure/config/config.common.ubuntu b/debian.azure/config/config.common.ubuntu index d79c408..89018bd 100644 --- a/debian.azure/config/config.common.ubuntu +++ b/debian.azure/config/config.common.ubuntu @@ -4045,7 +4045,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SELINUX_DEVELOP=y -CONFIG_SECURITY_SELINUX_DISABLE=y +# CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SMACK=y CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y # CONFIG_SECURITY_SMACK_BRINGUP is not set
BugLink: https://bugs.launchpad.net/bugs/1813866 This option allows disabling selinux after boot and it will conflict with read-only LSM structures. Since Ubuntu is primarily using AppArmor for its LSM, it makes sense to drop this feature in favor of the protections offered by __ro_after_init markings on the LSM structures. (LP: #1680315) Disable it to match the requirement in the kernel-security test suite. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> --- debian.azure/config/config.common.ubuntu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)