selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE

In preparation for removing CONFIG_DEFAULT_SECURITY, this removes the soon-to-be redundant SECURITY_SELINUX_BOOTPARAM_VALUE. Since explicit ordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled or not, this CONFIG will become effectively ignored, so remove it. However, in order to stay backward-compatible with "security=selinux", the enable variable defaults to true. Signed-off-by: Kees Cook <keescook@chromium.org>
author: Kees Cook <keescook@chromium.org> 2018-10-01 20:08:57 -0400
committer: Kees Cook <keescook@chromium.org> 2019-01-08 16:18:43 -0500
commit: be6ec88f41ba94746f830ba38cc4d08dd5ddbb08 (patch)
tree: 4f660979afb89835d9dee6f80444e491ede591bc /security/selinux/hooks.c
parent: 0102fb83f90050b86ce37aec810ea17bb4448e0c (diff)
1 files changed, 1 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 49865f119b16..c5d9fbbb5e5b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -121,9 +121,8 @@ __setup("enforcing=", enforcing_setup);
 #define selinux_enforcing_boot 1
 #endif
+int selinux_enabled __lsm_ro_after_init = 1;
 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
-int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 static int __init selinux_enabled_setup(char *str)
 {
        unsigned long enabled;
@@ -132,8 +131,6 @@ static int __init selinux_enabled_setup(char *str)
        return 1;
 }
 __setup("selinux=", selinux_enabled_setup);
-#else
-int selinux_enabled = 1;
 #endif
 static unsigned int selinux_checkreqprot_boot =
author	Kees Cook <keescook@chromium.org>	2018-10-01 20:08:57 -0400
committer	Kees Cook <keescook@chromium.org>	2019-01-08 16:18:43 -0500
commit	be6ec88f41ba94746f830ba38cc4d08dd5ddbb08 (patch)
tree	4f660979afb89835d9dee6f80444e491ede591bc /security/selinux/hooks.c
parent	0102fb83f90050b86ce37aec810ea17bb4448e0c (diff)