Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | config SECURITY_SELINUX |
2 | bool "NSA SELinux Support" | |
99f6d61b | 3 | depends on SECURITY_NETWORK && AUDIT && NET && INET |
4e5ab4cb | 4 | select NETWORK_SECMARK |
1da177e4 LT |
5 | default n |
6 | help | |
7 | This selects NSA Security-Enhanced Linux (SELinux). | |
8 | You will also need a policy configuration and a labeled filesystem. | |
1da177e4 LT |
9 | If you are unsure how to answer this question, answer N. |
10 | ||
11 | config SECURITY_SELINUX_BOOTPARAM | |
12 | bool "NSA SELinux boot parameter" | |
13 | depends on SECURITY_SELINUX | |
14 | default n | |
15 | help | |
16 | This option adds a kernel parameter 'selinux', which allows SELinux | |
17 | to be disabled at boot. If this option is selected, SELinux | |
18 | functionality can be disabled with selinux=0 on the kernel | |
19 | command line. The purpose of this option is to allow a single | |
20 | kernel image to be distributed with SELinux built in, but not | |
21 | necessarily enabled. | |
22 | ||
23 | If you are unsure how to answer this question, answer N. | |
24 | ||
25 | config SECURITY_SELINUX_BOOTPARAM_VALUE | |
26 | int "NSA SELinux boot parameter default value" | |
27 | depends on SECURITY_SELINUX_BOOTPARAM | |
28 | range 0 1 | |
29 | default 1 | |
30 | help | |
31 | This option sets the default value for the kernel parameter | |
32 | 'selinux', which allows SELinux to be disabled at boot. If this | |
33 | option is set to 0 (zero), the SELinux kernel parameter will | |
34 | default to 0, disabling SELinux at bootup. If this option is | |
35 | set to 1 (one), the SELinux kernel parameter will default to 1, | |
36 | enabling SELinux at bootup. | |
37 | ||
38 | If you are unsure how to answer this question, answer 1. | |
39 | ||
40 | config SECURITY_SELINUX_DISABLE | |
41 | bool "NSA SELinux runtime disable" | |
42 | depends on SECURITY_SELINUX | |
43 | default n | |
44 | help | |
45 | This option enables writing to a selinuxfs node 'disable', which | |
46 | allows SELinux to be disabled at runtime prior to the policy load. | |
47 | SELinux will then remain disabled until the next boot. | |
48 | This option is similar to the selinux=0 boot parameter, but is to | |
49 | support runtime disabling of SELinux, e.g. from /sbin/init, for | |
50 | portability across platforms where boot parameters are difficult | |
51 | to employ. | |
52 | ||
53 | If you are unsure how to answer this question, answer N. | |
54 | ||
55 | config SECURITY_SELINUX_DEVELOP | |
56 | bool "NSA SELinux Development Support" | |
57 | depends on SECURITY_SELINUX | |
58 | default y | |
59 | help | |
60 | This enables the development support option of NSA SELinux, | |
61 | which is useful for experimenting with SELinux and developing | |
62 | policies. If unsure, say Y. With this option enabled, the | |
63 | kernel will start in permissive mode (log everything, deny nothing) | |
64 | unless you specify enforcing=1 on the kernel command line. You | |
65 | can interactively toggle the kernel between enforcing mode and | |
66 | permissive mode (if permitted by the policy) via /selinux/enforce. | |
67 | ||
68 | config SECURITY_SELINUX_AVC_STATS | |
69 | bool "NSA SELinux AVC Statistics" | |
70 | depends on SECURITY_SELINUX | |
71 | default y | |
72 | help | |
73 | This option collects access vector cache statistics to | |
74 | /selinux/avc/cache_stats, which may be monitored via | |
75 | tools such as avcstat. | |
76 | ||
77 | config SECURITY_SELINUX_CHECKREQPROT_VALUE | |
78 | int "NSA SELinux checkreqprot default value" | |
79 | depends on SECURITY_SELINUX | |
80 | range 0 1 | |
81 | default 1 | |
82 | help | |
83 | This option sets the default value for the 'checkreqprot' flag | |
84 | that determines whether SELinux checks the protection requested | |
85 | by the application or the protection that will be applied by the | |
86 | kernel (including any implied execute for read-implies-exec) for | |
87 | mmap and mprotect calls. If this option is set to 0 (zero), | |
88 | SELinux will default to checking the protection that will be applied | |
89 | by the kernel. If this option is set to 1 (one), SELinux will | |
90 | default to checking the protection requested by the application. | |
91 | The checkreqprot flag may be changed from the default via the | |
92 | 'checkreqprot=' boot parameter. It may also be changed at runtime | |
93 | via /selinux/checkreqprot if authorized by policy. | |
94 | ||
95 | If you are unsure how to answer this question, answer 1. | |
4e5ab4cb JM |
96 | |
97 | config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | |
98 | bool "NSA SELinux enable new secmark network controls by default" | |
99 | depends on SECURITY_SELINUX | |
100 | default n | |
101 | help | |
102 | This option determines whether the new secmark-based network | |
103 | controls will be enabled by default. If not, the old internal | |
104 | per-packet controls will be enabled by default, preserving | |
105 | old behavior. | |
106 | ||
107 | If you enable the new controls, you will need updated | |
108 | SELinux userspace libraries, tools and policy. Typically, | |
109 | your distribution will provide these and enable the new controls | |
110 | in the kernel they also distribute. | |
111 | ||
44c09201 | 112 | Note that this option can be overridden at boot with the |
4e5ab4cb JM |
113 | selinux_compat_net parameter, and after boot via |
114 | /selinux/compat_net. See Documentation/kernel-parameters.txt | |
115 | for details on this parameter. | |
116 | ||
117 | If you enable the new network controls, you will likely | |
118 | also require the SECMARK and CONNSECMARK targets, as | |
119 | well as any conntrack helpers for protocols which you | |
120 | wish to control. | |
121 | ||
cab00891 | 122 | If you are unsure what to do here, select N. |
4e5ab4cb | 123 | |
016b9bdb SS |
124 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
125 | bool "NSA SELinux maximum supported policy format version" | |
126 | depends on SECURITY_SELINUX | |
127 | default n | |
128 | help | |
129 | This option enables the maximum policy format version supported | |
130 | by SELinux to be set to a particular value. This value is reported | |
131 | to userspace via /selinux/policyvers and used at policy load time. | |
132 | It can be adjusted downward to support legacy userland (init) that | |
133 | does not correctly handle kernels that support newer policy versions. | |
134 | ||
135 | Examples: | |
136 | For the Fedora Core 3 or 4 Linux distributions, enable this option | |
3dde6ad8 | 137 | and set the value via the next option. For Fedora Core 5 and later, |
016b9bdb SS |
138 | do not enable this option. |
139 | ||
140 | If you are unsure how to answer this question, answer N. | |
141 | ||
142 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE | |
143 | int "NSA SELinux maximum supported policy format version value" | |
144 | depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX | |
64dbf074 | 145 | range 15 23 |
016b9bdb SS |
146 | default 19 |
147 | help | |
148 | This option sets the value for the maximum policy format version | |
149 | supported by SELinux. | |
150 | ||
151 | Examples: | |
152 | For Fedora Core 3, use 18. | |
153 | For Fedora Core 4, use 19. | |
154 | ||
155 | If you are unsure how to answer this question, look for the | |
156 | policy format version supported by your policy toolchain, by | |
157 | running 'checkpolicy -V'. Or look at what policy you have | |
158 | installed under /etc/selinux/$SELINUXTYPE/policy, where | |
159 | SELINUXTYPE is defined in your /etc/selinux/config. | |
160 |