Merge tag 'drm-coc-for-v4.12-rc1' of git://people.freedesktop.org/~airlied/linux

[mirror_ubuntu-bionic-kernel.git] / security / selinux / Kconfig

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index ea7e3efbe0f758ed51dba589e18bd07edd61b76f..8af7a690eb40a15d06f1cba8b5ee25f60c8cdbf9 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
 config SECURITY_SELINUX_DISABLE
        bool "NSA SELinux runtime disable"
        depends on SECURITY_SELINUX
+       select SECURITY_WRITABLE_HOOKS
        default n
        help
          This option enables writing to a selinuxfs node 'disable', which
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
          portability across platforms where boot parameters are difficult
          to employ.
 
+         NOTE: selecting this option will disable the '__ro_after_init'
+         kernel hardening feature for security hooks.   Please consider
+         using the selinux=0 boot parameter instead of enabling this
+         option.
+
          If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP