[patch 1/1] selinux: require AUDIT

From: Stephen Smalley
Date: Tue Feb 07 2006 - 10:44:03 EST

Next message: mchehab: "[PATCH 07/16] Fixed i2c return value, conversion mdelay to msleep"
Previous message: mchehab: "[PATCH 16/16] Disabled debug on by default in tvp5150"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Make SELinux depend on AUDIT as it requires the basic audit support to
log permission denials at all. Note that AUDITSYSCALL remains optional
for SELinux, although it can be useful in providing further information
upon denials. Please apply.

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Acked-by: James Morris <jmorris@xxxxxxxxx>

---

init/Kconfig | 1 -
security/selinux/Kconfig | 2 +-
security/selinux/avc.c | 2 --
3 files changed, 1 insertion(+), 4 deletions(-)

diff -rup -X /home/sds/dontdiff linux-2.6.16-rc2-git2/init/Kconfig linux-2.6.16-rc2-git2-x/init/Kconfig
--- linux-2.6.16-rc2-git2/init/Kconfig 2006-02-07 09:31:03.000000000 -0500
+++ linux-2.6.16-rc2-git2-x/init/Kconfig 2006-02-07 09:48:49.000000000 -0500
@@ -169,7 +169,6 @@ config SYSCTL
config AUDIT
bool "Auditing support"
depends on NET
- default y if SECURITY_SELINUX
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
diff -rup -X /home/sds/dontdiff linux-2.6.16-rc2-git2/security/selinux/avc.c linux-2.6.16-rc2-git2-x/security/selinux/avc.c
--- linux-2.6.16-rc2-git2/security/selinux/avc.c 2006-02-06 11:44:47.000000000 -0500
+++ linux-2.6.16-rc2-git2-x/security/selinux/avc.c 2006-02-07 09:48:49.000000000 -0500
@@ -43,13 +43,11 @@ static const struct av_perm_to_string
#undef S_
};

-#ifdef CONFIG_AUDIT
static const char *class_to_string[] = {
#define S_(s) s,
#include "class_to_string.h"
#undef S_
};
-#endif

#define TB_(s) static const char * s [] = {
#define TE_(s) };
diff -rup -X /home/sds/dontdiff linux-2.6.16-rc2-git2/security/selinux/Kconfig linux-2.6.16-rc2-git2-x/security/selinux/Kconfig
--- linux-2.6.16-rc2-git2/security/selinux/Kconfig 2006-02-07 09:31:03.000000000 -0500
+++ linux-2.6.16-rc2-git2-x/security/selinux/Kconfig 2006-02-07 09:48:49.000000000 -0500
@@ -1,6 +1,6 @@
config SECURITY_SELINUX
bool "NSA SELinux Support"
- depends on SECURITY_NETWORK && NET && INET
+ depends on SECURITY_NETWORK && AUDIT && NET && INET
default n
help
This selects NSA Security-Enhanced Linux (SELinux).

--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: mchehab: "[PATCH 07/16] Fixed i2c return value, conversion mdelay to msleep"
Previous message: mchehab: "[PATCH 16/16] Disabled debug on by default in tvp5150"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]