[patch 1/1] selinux: require AUDIT

Make SELinux depend on AUDIT as it requires the basic audit support to
log permission denials at all.  Note that AUDITSYSCALL remains optional
for SELinux, although it can be useful in providing further information
upon denials.  Please apply.

Signed-off-by:  Stephen Smalley <[email protected]>
Acked-by:  James Morris <[email protected]>

---

 init/Kconfig             |    1 -
 security/selinux/Kconfig |    2 +-
 security/selinux/avc.c   |    2 --
 3 files changed, 1 insertion(+), 4 deletions(-)

diff -rup -X /home/sds/dontdiff linux-2.6.16-rc2-git2/init/Kconfig linux-2.6.16-rc2-git2-x/init/Kconfig
--- linux-2.6.16-rc2-git2/init/Kconfig	2006-02-07 09:31:03.000000000 -0500
+++ linux-2.6.16-rc2-git2-x/init/Kconfig	2006-02-07 09:48:49.000000000 -0500
@@ -169,7 +169,6 @@ config SYSCTL
 config AUDIT
 	bool "Auditing support"
 	depends on NET
-	default y if SECURITY_SELINUX
 	help
 	  Enable auditing infrastructure that can be used with another
 	  kernel subsystem, such as SELinux (which requires this for
diff -rup -X /home/sds/dontdiff linux-2.6.16-rc2-git2/security/selinux/avc.c linux-2.6.16-rc2-git2-x/security/selinux/avc.c
--- linux-2.6.16-rc2-git2/security/selinux/avc.c	2006-02-06 11:44:47.000000000 -0500
+++ linux-2.6.16-rc2-git2-x/security/selinux/avc.c	2006-02-07 09:48:49.000000000 -0500
@@ -43,13 +43,11 @@ static const struct av_perm_to_string
 #undef S_
 };
 
-#ifdef CONFIG_AUDIT
 static const char *class_to_string[] = {
 #define S_(s) s,
 #include "class_to_string.h"
 #undef S_
 };
-#endif
 
 #define TB_(s) static const char * s [] = {
 #define TE_(s) };
diff -rup -X /home/sds/dontdiff linux-2.6.16-rc2-git2/security/selinux/Kconfig linux-2.6.16-rc2-git2-x/security/selinux/Kconfig
--- linux-2.6.16-rc2-git2/security/selinux/Kconfig	2006-02-07 09:31:03.000000000 -0500
+++ linux-2.6.16-rc2-git2-x/security/selinux/Kconfig	2006-02-07 09:48:49.000000000 -0500
@@ -1,6 +1,6 @@
 config SECURITY_SELINUX
 	bool "NSA SELinux Support"
-	depends on SECURITY_NETWORK && NET && INET
+	depends on SECURITY_NETWORK && AUDIT && NET && INET
 	default n
 	help
 	  This selects NSA Security-Enhanced Linux (SELinux).

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Prev by Date: [PATCH 11/16] FIX: Multiple usage of VP7045-based devices
• Next by Date: [PATCH 07/16] Fixed i2c return value, conversion mdelay to msleep
• Previous by thread: Re: [PATCH] percpu data: only iterate over possible CPUs
• Next by thread: [patch 2/2] s390: some qeth driver fixes
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]