On Sun, Jan 24, 2021 at 12:04 PM Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx> wrote: > On 1/22/21 1:21 PM, Paul Moore wrote: ... > >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > >> index 644b17ec9e63..879a0d90615d 100644 > >> --- a/security/selinux/hooks.c > >> +++ b/security/selinux/hooks.c > >> @@ -7407,6 +7408,10 @@ int selinux_disable(struct selinux_state *state) > >> > >> selinux_mark_disabled(state); > >> > >> + mutex_lock(&state->policy_mutex); > >> + selinux_ima_measure_state(state); > >> + mutex_unlock(&state->policy_mutex); > > > > I'm not sure if this affects your decision to include this action in > > the measurements, but this function is hopefully going away in the not > > too distant future as we do away with support for disabling SELinux at > > runtime. > > > > FWIW, I'm not sure it's overly useful anyway; you only get here if you > > never had any SELinux policy/state configured and you decide to > > disable SELinux instead of loading a policy. However, I've got no > > objection to this code. > > If support for disabling SELinux at runtime will be removed, then I > don't see a reason to trigger a measurement here. I'll remove this > measurement. It's currently marked as deprecated, see Documentation/ABI/obsolete/sysfs-selinux-disable. -- paul moore www.paul-moore.com
