On Sun, Jan 24, 2021 at 12:04 PM Lakshmi Ramasubramanian
[off-list ref] wrote:

On 1/22/21 1:21 PM, Paul Moore wrote:

...

quoted

quoted

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 644b17ec9e63..879a0d90615d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -7407,6 +7408,10 @@ int selinux_disable(struct selinux_state *state)

         selinux_mark_disabled(state);

+       mutex_lock(&state->policy_mutex);
+       selinux_ima_measure_state(state);
+       mutex_unlock(&state->policy_mutex);

I'm not sure if this affects your decision to include this action in
the measurements, but this function is hopefully going away in the not
too distant future as we do away with support for disabling SELinux at
runtime.

FWIW, I'm not sure it's overly useful anyway; you only get here if you
never had any SELinux policy/state configured and you decide to
disable SELinux instead of loading a policy.  However, I've got no
objection to this code.

If support for disabling SELinux at runtime will be removed, then I
don't see a reason to trigger a measurement here. I'll remove this
measurement.

It's currently marked as deprecated, see
Documentation/ABI/obsolete/sysfs-selinux-disable.

-- 
paul moore
www.paul-moore.com