[arch-general] Revisiting the SELinux/audit question: Disabling audit on the kernel command line
Tobias Markus
tobias at miglix.eu
Sun Feb 12 17:43:22 UTC 2017
Hi,
As some of you might know, the question of enabling SELinux support in
the official Arch Linux kernel package has been brought up a number of
times. The main issue that has been pointed out the previous time was
that enabling SELinux depends on CONFIG_AUDIT which is considered
unnecessary or even harmful for most desktop users since it generates a
flood of kernel log messages.
Citing Thomas Bächler's previous post (in 2014) on the matter [1]:
> And here is my problem: Audit is enabled by default and must be
> explicitly disabled by the admin. This is a showstopper for me! There
> is no kernel option to configure audit to be disabled by default (as
> far as I am aware) so that it can be enabled with 'audit=1' on the
> command line.
Actually, I think there is a perfectly valid and simple way to disable
audit by default: By using the built-in kernel command line. This makes
it possible to specify a number of kernel parameters at build time that
the kernel prepends to the usual command line it gets from the
bootloader. By specifying
CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="audit=0"
in the configuration [2], the audit subsystem is disabled by default,
but users intending to use it can do so by manually setting audit=1 on
the bootloader's command line. That in turn would override the audit=0
specified on the built-in command line.
I would be glad if Arch Linux's official kernel could support SELinux
again this way!
Thanks for your comments,
Tobias
[1] https://lists.archlinux.org/pipermail/arch-general/2014-March/03567
9.html
[2] For menuconfig, look at the very end under "Processor type and
features"
More information about the arch-general
mailing list