On Fri, 2005-08-26 at 07:48 -0400, Stephen Smalley wrote: > > @@ -4568,8 +4421,8 @@ int selinux_disable(void) > > > > selinux_disabled = 1; > > > > - /* Reset security_ops to the secondary module, dummy or capability. */ > > - security_ops = secondary_ops; > > + /* Reset security_ops to the default */ > > + security_ops = original_ops; > > > > /* Unregister netfilter hooks. */ > > selinux_nf_ip_exit(); > > a runtime disable of SELinux by /sbin/init (upon finding > SELINUX=disabled in /etc/selinux/config) ends up leaving us with null > ops rather than the capability or dummy ops. Thus, SELINUX=disabled > turns off all security ;( Ok, as with my prior comment, this one is also invalidated by the fact that the static inlines fall back to the cap_ functions if the operation is NULL. So I suppose this would work. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Fri Aug 26 2005 - 05:00:54 PDT