[B/linux-azure][C/linux-azure][SRU][PATCH 0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[B/linux-azure][C/linux-azure][SRU][PATCH 0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1813866

This option allows disabling selinux after boot and it will conflict
with read-only LSM structures. Since Ubuntu is primarily using AppArmor
for its LSM, it makes sense to drop this feature in favor of the
protections offered by __ro_after_init markings on the LSM structures.
(LP: #1680315)

Disable it to match the requirement in the kernel-security test suite.

Po-Hsu Lin (1):
  UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

 debian.azure/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[B/linux-azure][SRU][PATCH 1/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1813866

This option allows disabling selinux after boot and it will conflict
with read-only LSM structures. Since Ubuntu is primarily using AppArmor
for its LSM, it makes sense to drop this feature in favor of the
protections offered by __ro_after_init markings on the LSM structures.
(LP: #1680315)

Disable it to match the requirement in the kernel-security test suite.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.azure/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian.azure/config/config.common.ubuntu b/debian.azure/config/config.common.ubuntu
index 77d1e17..c22cd79 100644
--- a/debian.azure/config/config.common.ubuntu
+++ b/debian.azure/config/config.common.ubuntu
@@ -4046,7 +4046,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_DISABLE=y
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
 # CONFIG_SECURITY_SELINUX_STACKED is not set
 CONFIG_SECURITY_SMACK=y
 CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[C/linux-azure][SRU][PATCH 1/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Po-Hsu Lin (Sam)
In reply to this post by Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1813866

This option allows disabling selinux after boot and it will conflict
with read-only LSM structures. Since Ubuntu is primarily using AppArmor
for its LSM, it makes sense to drop this feature in favor of the
protections offered by __ro_after_init markings on the LSM structures.
(LP: #1680315)

Disable it to match the requirement in the kernel-security test suite.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.azure/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian.azure/config/config.common.ubuntu b/debian.azure/config/config.common.ubuntu
index d79c408..89018bd 100644
--- a/debian.azure/config/config.common.ubuntu
+++ b/debian.azure/config/config.common.ubuntu
@@ -4045,7 +4045,7 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_DISABLE=y
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
 CONFIG_SECURITY_SMACK=y
 CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
 # CONFIG_SECURITY_SMACK_BRINGUP is not set
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [B/linux-azure][C/linux-azure][SRU][PATCH 0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Stefan Bader-2
In reply to this post by Po-Hsu Lin (Sam)
On 31.01.19 13:04, Po-Hsu Lin wrote:

> BugLink: https://bugs.launchpad.net/bugs/1813866
>
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
>
> Disable it to match the requirement in the kernel-security test suite.
>
> Po-Hsu Lin (1):
>   UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
>
>  debian.azure/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
Acked-by: Stefan Bader <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [B/linux-azure][C/linux-azure][SRU][PATCH 0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Khaled Elmously
In reply to this post by Po-Hsu Lin (Sam)
On 2019-01-31 20:04:04 , Po-Hsu Lin wrote:

> BugLink: https://bugs.launchpad.net/bugs/1813866
>
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
>
> Disable it to match the requirement in the kernel-security test suite.
>
> Po-Hsu Lin (1):
>   UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
>
>  debian.azure/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>

Acked-by: Khalid Elmously <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [B/linux-azure][C/linux-azure][SRU][PATCH 0/1] UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE

Kleber Souza
In reply to this post by Po-Hsu Lin (Sam)
On 1/31/19 1:04 PM, Po-Hsu Lin wrote:

> BugLink: https://bugs.launchpad.net/bugs/1813866
>
> This option allows disabling selinux after boot and it will conflict
> with read-only LSM structures. Since Ubuntu is primarily using AppArmor
> for its LSM, it makes sense to drop this feature in favor of the
> protections offered by __ro_after_init markings on the LSM structures.
> (LP: #1680315)
>
> Disable it to match the requirement in the kernel-security test suite.
>
> Po-Hsu Lin (1):
>   UBUNTU: [Config]: disable CONFIG_SECURITY_SELINUX_DISABLE
>
>  debian.azure/config/config.common.ubuntu | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
Applied to bionic/linux-azure/master-next and
cosmic/linux-azure/master-next branches.

Thanks,
Kleber



--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team