[arch-general] Revisiting the SELinux/audit question: Disabling audit on the kernel command line

[Tobias Markus]

Hi,

As some of you might know, the question of enabling SELinux support in
the official Arch Linux kernel package has been brought up a number of
times. The main issue that has been pointed out the previous time was
that enabling SELinux depends on CONFIG_AUDIT which is considered
unnecessary or even harmful for most desktop users since it generates a
flood of kernel log messages.

Citing Thomas Bächler's previous post (in 2014) on the matter [1]:

> And here is my problem: Audit is enabled by default and must be
> explicitly disabled by the admin. This is a showstopper for me! There
> is no kernel option to configure audit to be disabled by default (as
> far as I am aware) so that it can be enabled with 'audit=1' on the
> command line.

Actually, I think there is a perfectly valid and simple way to disable
audit by default: By using the built-in kernel command line. This makes
it possible to specify a number of kernel parameters at build time that
 the kernel prepends to the usual command line it gets from the
bootloader. By specifying

CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="audit=0"

in the configuration [2], the audit subsystem is disabled by default,
but users intending to use it can do so by manually setting audit=1 on
the bootloader's command line. That in turn would override the audit=0
specified on the built-in command line.

I would be glad if Arch Linux's official kernel could support SELinux
again this way!

Thanks for your comments,
Tobias

[1] https://lists.archlinux.org/pipermail/arch-general/2014-March/03567
9.html
[2] For menuconfig, look at the very end under "Processor type and
features"