[kernel] Enable YAMA (rhbz 1196825)

Mon Mar 2 15:17:11 UTC 2015

commit ebce054077d69a2ad55196985c64708a0601bbce
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Mar 2 10:14:15 2015 -0500

    Enable YAMA (rhbz 1196825)

 config-generic                                     |  3 ++-
 kernel.spec                                        |  9 +++++++
 ...ma-Remove-unnecessary-selects-from-Kconfi.patch | 28 ++++++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
---

diff --git a/config-generic b/config-generic
index 275aa23..c021285 100644
--- a/config-generic
+++ b/config-generic
@@ -4546,7 +4546,8 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY_YAMA_STACKED=y
 CONFIG_AUDIT=y
 CONFIG_AUDITSYSCALL=y
 # http://lists.fedoraproject.org/pipermail/kernel/2013-February/004125.html
diff --git a/kernel.spec b/kernel.spec
index 4fc47f2..e2d82dc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -623,6 +623,9 @@ Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
 #rhbz 1190947
 Patch26139: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
 
+#rhbz 1196825
+Patch26140: security-yama-Remove-unnecessary-selects-from-Kconfi.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 Patch30001: kernel-arm64-fix-psci-when-pg.patch
@@ -1355,6 +1358,9 @@ ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
 #rhbz 1190947
 ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
 
+#rhbz 1196825
+ApplyPatch security-yama-Remove-unnecessary-selects-from-Kconfi.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2215,6 +2221,9 @@ fi
 #
 # 
 %changelog
+* Mon Mar 02 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- Enable YAMA (rhbz 1196825)
+
 * Sat Feb 28 2015 Peter Robinson <pbrobinson at fedoraproject.org>
 - ARMv7 OMAP updates, fix panda boot
 
diff --git a/security-yama-Remove-unnecessary-selects-from-Kconfi.patch b/security-yama-Remove-unnecessary-selects-from-Kconfi.patch
new file mode 100644
index 0000000..aa2a0d3
--- /dev/null
+++ b/security-yama-Remove-unnecessary-selects-from-Kconfi.patch
@@ -0,0 +1,28 @@
+From: Stephen Smalley <sds at tycho.nsa.gov>
+Date: Fri, 27 Feb 2015 16:23:59 -0500
+Subject: [PATCH] security/yama: Remove unnecessary selects from Kconfig.
+
+Yama selects SECURITYFS and SECURITY_PATH, but requires neither.
+Remove them.
+
+Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
+---
+ security/yama/Kconfig | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/security/yama/Kconfig b/security/yama/Kconfig
+index 20ef5143c0c0..3123e1da2fed 100644
+--- a/security/yama/Kconfig
++++ b/security/yama/Kconfig
+@@ -1,8 +1,6 @@
+ config SECURITY_YAMA
+ 	bool "Yama support"
+ 	depends on SECURITY
+-	select SECURITYFS
+-	select SECURITY_PATH
+ 	default n
+ 	help
+ 	  This selects Yama, which extends DAC support with additional
+-- 
+2.1.0
+
