Djam/kernel-5.15
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-5.15.git synced 2025-02-24 02:52:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix kernel opts for booting in enforcing selinux mode

Browse source
This commit is contained in:
Mikhail Novosyolov 2019-10-07 01:35:53 +03:00
parent 7a64052e96
commit 1f5dcdbf22
1 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
kernel.spec
View file

@ -4,7 +4,7 @@
%define sublevel 4
# Release number. Increase this before a rebuild.
%define rpmrel 1
%define rpmrel 2
%define fullrpmrel %{rpmrel}
%define rpmtag %{disttag}
@ -706,10 +706,17 @@ sed -i 's/CONFIG_STACKPROTECTOR_STRONG=y/# CONFIG_STACKPROTECTOR_STRONG is not s
sed -i 's/# CONFIG_DEBUG_INFO is not set/CONFIG_DEBUG_INFO=y\nCONFIG_DEBUG_INFO_DWARF4=y\nCONFIG_GDB_SCRIPTS=y/' .config
%endif
# Enable hardening features if requested.
%if %{enhanced_security}
sed -i 's/# CONFIG_PAX_MEMORY_SANITIZE is not set/CONFIG_PAX_MEMORY_SANITIZE=y/' .config
sed -i 's/# CONFIG_PAGE_POISONING is not set/CONFIG_PAGE_POISONING=y\nCONFIG_PAGE_POISONING_NO_SANITY=y/' .config
# seems to be needed to boot system in enforcing selinux mode
# note: cpio fpormat of initramfs does not support xattrs without patches
# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
sed -i '/CONFIG_SECURITY_SELINUX_DISABLE/d' .config
echo CONFIG_SECURITY_SELINUX_DISABLE=y >> .config
# enable selinux in kernel by default if not disabled explicitly
sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> .config
sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE/d' .config
echo CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 >> .config
%endif
# Store the config file in the appropriate directory.