[PATCH] selinux: require AUDIT

Make SELinux depend on AUDIT as it requires the basic audit support to log
permission denials at all.  Note that AUDITSYSCALL remains optional for
SELinux, although it can be useful in providing further information upon
denials.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/init/Kconfig b/init/Kconfig
index 8b7abae87bf9c15ec3934e73322df849595e81dc..38416a199def24332f22692e9da1203a962a8d58 100644 (file)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -169,7 +169,6 @@ config SYSCTL
 config AUDIT
        bool "Auditing support"
        depends on NET
-       default y if SECURITY_SELINUX
        help
          Enable auditing infrastructure that can be used with another
          kernel subsystem, such as SELinux (which requires this for

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 502f78f13f5f762d84267c3ec45feea3c7e33887..f636f53ca5444ccabdd231e5be72d8bbe976838e 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -1,6 +1,6 @@
 config SECURITY_SELINUX
        bool "NSA SELinux Support"
-       depends on SECURITY_NETWORK && NET && INET
+       depends on SECURITY_NETWORK && AUDIT && NET && INET
        default n
        help
          This selects NSA Security-Enhanced Linux (SELinux).

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 53d6c7bbf56459f6aa7145a7c3649a754588abc1..ac5d69bb3377edb3c8bec35f7a1c1570425980d8 100644 (file)
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -43,13 +43,11 @@ static const struct av_perm_to_string
 #undef S_
 };
 
-#ifdef CONFIG_AUDIT
 static const char *class_to_string[] = {
 #define S_(s) s,
 #include "class_to_string.h"
 #undef S_
 };
-#endif
 
 #define TB_(s) static const char * s [] = {
 #define TE_(s) };