X-Git-Url: https://git.karo-electronics.de/?a=blobdiff_plain;f=security%2Fselinux%2FKconfig;h=8af7a690eb40a15d06f1cba8b5ee25f60c8cdbf9;hb=221656e7c4ce342b99c31eca96c1cbb6d1dce45f;hp=ea7e3efbe0f758ed51dba589e18bd07edd61b76f;hpb=aa34e07e457ed13b44d680b5b605e3e5a585f611;p=karo-tx-linux.git

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index ea7e3efbe0f7..8af7a690eb40 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
 config SECURITY_SELINUX_DISABLE
 	bool "NSA SELinux runtime disable"
 	depends on SECURITY_SELINUX
+	select SECURITY_WRITABLE_HOOKS
 	default n
 	help
 	  This option enables writing to a selinuxfs node 'disable', which
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
 	  portability across platforms where boot parameters are difficult
 	  to employ.
 
+	  NOTE: selecting this option will disable the '__ro_after_init'
+	  kernel hardening feature for security hooks.   Please consider
+	  using the selinux=0 boot parameter instead of enabling this
+	  option.
+
 	  If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP