On Tue, Dec 17, 2019 at 9:15 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > Rename selinux_enabled to selinux_enabled_boot to make it clear that > it only reflects whether SELinux was enabled at boot. Replace the > references to it in the MAC_STATUS audit log in sel_write_enforce() > with hardcoded "1" values because this code is only reachable if SELinux > is enabled and does not change its value, and update the corresponding > MAC_STATUS audit log in sel_write_disable(). Stop clearing > selinux_enabled in selinux_disable() since it is not used outside of > initialization code that runs before selinux_disable() can be reached. > Mark both selinux_enabled_boot and selinux_enforcing_boot as __initdata > since they are only used in initialization code. > > Wrap the disabled field in the struct selinux_state with > CONFIG_SECURITY_SELINUX_DISABLE since it is only used for > runtime disable. > > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > --- > v2 switches to hardcoded values for enabled/old-enabled in the MAC_STATUS > audit records, drops selinux_is_enabled() since it is not needed, and > makes both selinux_enabled_boot and selinux_enforcing_boot __initdata > since they are unused outside of initialization code. > security/selinux/hooks.c | 12 +++++------- > security/selinux/ibpkey.c | 2 +- > security/selinux/include/security.h | 4 +++- > security/selinux/netif.c | 2 +- > security/selinux/netnode.c | 2 +- > security/selinux/netport.c | 2 +- > security/selinux/selinuxfs.c | 11 +++++------ > 7 files changed, 17 insertions(+), 18 deletions(-) Merged into selinux/next, thanks Stephen. -- paul moore www.paul-moore.com
