[arch-general] Revisiting the SELinux/audit question: Disabling audit on the kernel command line
tobias at miglix.eu
Sun Feb 12 17:43:22 UTC 2017
As some of you might know, the question of enabling SELinux support in
the official Arch Linux kernel package has been brought up a number of
times. The main issue that has been pointed out the previous time was
that enabling SELinux depends on CONFIG_AUDIT which is considered
unnecessary or even harmful for most desktop users since it generates a
flood of kernel log messages.
Citing Thomas Bächler's previous post (in 2014) on the matter :
> And here is my problem: Audit is enabled by default and must be
> explicitly disabled by the admin. This is a showstopper for me! There
> is no kernel option to configure audit to be disabled by default (as
> far as I am aware) so that it can be enabled with 'audit=1' on the
> command line.
Actually, I think there is a perfectly valid and simple way to disable
audit by default: By using the built-in kernel command line. This makes
it possible to specify a number of kernel parameters at build time that
the kernel prepends to the usual command line it gets from the
bootloader. By specifying
in the configuration , the audit subsystem is disabled by default,
but users intending to use it can do so by manually setting audit=1 on
the bootloader's command line. That in turn would override the audit=0
specified on the built-in command line.
I would be glad if Arch Linux's official kernel could support SELinux
again this way!
Thanks for your comments,
 For menuconfig, look at the very end under "Processor type and
More information about the arch-general