2 files changed, 1 insertions, 19 deletions

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 8af7a690eb40..55f032f1fc2d 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -22,21 +22,6 @@ config SECURITY_SELINUX_BOOTPARAM
 
           If you are unsure how to answer this question, answer N.
 
-config SECURITY_SELINUX_BOOTPARAM_VALUE
-        int "NSA SELinux boot parameter default value"
-        depends on SECURITY_SELINUX_BOOTPARAM
-        range 0 1
-        default 1
-        help
-          This option sets the default value for the kernel parameter
-          'selinux', which allows SELinux to be disabled at boot.  If this
-          option is set to 0 (zero), the SELinux kernel parameter will
-          default to 0, disabling SELinux at bootup.  If this option is
-          set to 1 (one), the SELinux kernel parameter will default to 1,
-          enabling SELinux at bootup.
-
-          If you are unsure how to answer this question, answer 1.
-
 config SECURITY_SELINUX_DISABLE
         bool "NSA SELinux runtime disable"
         depends on SECURITY_SELINUX
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 49865f119b16..c5d9fbbb5e5b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -121,9 +121,8 @@ __setup("enforcing=", enforcing_setup);
 #define selinux_enforcing_boot 1
 #endif
 
+int selinux_enabled __lsm_ro_after_init = 1;
 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
-int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
-
 static int __init selinux_enabled_setup(char *str)
 {
         unsigned long enabled;
@@ -132,8 +131,6 @@ static int __init selinux_enabled_setup(char *str)
         return 1;
 }
 __setup("selinux=", selinux_enabled_setup);
-#else
-int selinux_enabled = 1;
 #endif
 
 static unsigned int selinux_checkreqprot_boot =