Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | config SECURITY_SELINUX |
2 | bool "NSA SELinux Support" | |
99f6d61b | 3 | depends on SECURITY_NETWORK && AUDIT && NET && INET |
4e5ab4cb | 4 | select NETWORK_SECMARK |
1da177e4 LT |
5 | default n |
6 | help | |
7 | This selects NSA Security-Enhanced Linux (SELinux). | |
8 | You will also need a policy configuration and a labeled filesystem. | |
9 | You can obtain the policy compiler (checkpolicy), the utility for | |
10 | labeling filesystems (setfiles), and an example policy configuration | |
11 | from <http://www.nsa.gov/selinux/>. | |
12 | If you are unsure how to answer this question, answer N. | |
13 | ||
14 | config SECURITY_SELINUX_BOOTPARAM | |
15 | bool "NSA SELinux boot parameter" | |
16 | depends on SECURITY_SELINUX | |
17 | default n | |
18 | help | |
19 | This option adds a kernel parameter 'selinux', which allows SELinux | |
20 | to be disabled at boot. If this option is selected, SELinux | |
21 | functionality can be disabled with selinux=0 on the kernel | |
22 | command line. The purpose of this option is to allow a single | |
23 | kernel image to be distributed with SELinux built in, but not | |
24 | necessarily enabled. | |
25 | ||
26 | If you are unsure how to answer this question, answer N. | |
27 | ||
28 | config SECURITY_SELINUX_BOOTPARAM_VALUE | |
29 | int "NSA SELinux boot parameter default value" | |
30 | depends on SECURITY_SELINUX_BOOTPARAM | |
31 | range 0 1 | |
32 | default 1 | |
33 | help | |
34 | This option sets the default value for the kernel parameter | |
35 | 'selinux', which allows SELinux to be disabled at boot. If this | |
36 | option is set to 0 (zero), the SELinux kernel parameter will | |
37 | default to 0, disabling SELinux at bootup. If this option is | |
38 | set to 1 (one), the SELinux kernel parameter will default to 1, | |
39 | enabling SELinux at bootup. | |
40 | ||
41 | If you are unsure how to answer this question, answer 1. | |
42 | ||
43 | config SECURITY_SELINUX_DISABLE | |
44 | bool "NSA SELinux runtime disable" | |
45 | depends on SECURITY_SELINUX | |
46 | default n | |
47 | help | |
48 | This option enables writing to a selinuxfs node 'disable', which | |
49 | allows SELinux to be disabled at runtime prior to the policy load. | |
50 | SELinux will then remain disabled until the next boot. | |
51 | This option is similar to the selinux=0 boot parameter, but is to | |
52 | support runtime disabling of SELinux, e.g. from /sbin/init, for | |
53 | portability across platforms where boot parameters are difficult | |
54 | to employ. | |
55 | ||
56 | If you are unsure how to answer this question, answer N. | |
57 | ||
58 | config SECURITY_SELINUX_DEVELOP | |
59 | bool "NSA SELinux Development Support" | |
60 | depends on SECURITY_SELINUX | |
61 | default y | |
62 | help | |
63 | This enables the development support option of NSA SELinux, | |
64 | which is useful for experimenting with SELinux and developing | |
65 | policies. If unsure, say Y. With this option enabled, the | |
66 | kernel will start in permissive mode (log everything, deny nothing) | |
67 | unless you specify enforcing=1 on the kernel command line. You | |
68 | can interactively toggle the kernel between enforcing mode and | |
69 | permissive mode (if permitted by the policy) via /selinux/enforce. | |
70 | ||
71 | config SECURITY_SELINUX_AVC_STATS | |
72 | bool "NSA SELinux AVC Statistics" | |
73 | depends on SECURITY_SELINUX | |
74 | default y | |
75 | help | |
76 | This option collects access vector cache statistics to | |
77 | /selinux/avc/cache_stats, which may be monitored via | |
78 | tools such as avcstat. | |
79 | ||
80 | config SECURITY_SELINUX_CHECKREQPROT_VALUE | |
81 | int "NSA SELinux checkreqprot default value" | |
82 | depends on SECURITY_SELINUX | |
83 | range 0 1 | |
84 | default 1 | |
85 | help | |
86 | This option sets the default value for the 'checkreqprot' flag | |
87 | that determines whether SELinux checks the protection requested | |
88 | by the application or the protection that will be applied by the | |
89 | kernel (including any implied execute for read-implies-exec) for | |
90 | mmap and mprotect calls. If this option is set to 0 (zero), | |
91 | SELinux will default to checking the protection that will be applied | |
92 | by the kernel. If this option is set to 1 (one), SELinux will | |
93 | default to checking the protection requested by the application. | |
94 | The checkreqprot flag may be changed from the default via the | |
95 | 'checkreqprot=' boot parameter. It may also be changed at runtime | |
96 | via /selinux/checkreqprot if authorized by policy. | |
97 | ||
98 | If you are unsure how to answer this question, answer 1. | |
4e5ab4cb JM |
99 | |
100 | config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | |
101 | bool "NSA SELinux enable new secmark network controls by default" | |
102 | depends on SECURITY_SELINUX | |
103 | default n | |
104 | help | |
105 | This option determines whether the new secmark-based network | |
106 | controls will be enabled by default. If not, the old internal | |
107 | per-packet controls will be enabled by default, preserving | |
108 | old behavior. | |
109 | ||
110 | If you enable the new controls, you will need updated | |
111 | SELinux userspace libraries, tools and policy. Typically, | |
112 | your distribution will provide these and enable the new controls | |
113 | in the kernel they also distribute. | |
114 | ||
44c09201 | 115 | Note that this option can be overridden at boot with the |
4e5ab4cb JM |
116 | selinux_compat_net parameter, and after boot via |
117 | /selinux/compat_net. See Documentation/kernel-parameters.txt | |
118 | for details on this parameter. | |
119 | ||
120 | If you enable the new network controls, you will likely | |
121 | also require the SECMARK and CONNSECMARK targets, as | |
122 | well as any conntrack helpers for protocols which you | |
123 | wish to control. | |
124 | ||
cab00891 | 125 | If you are unsure what to do here, select N. |
4e5ab4cb | 126 | |
016b9bdb SS |
127 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
128 | bool "NSA SELinux maximum supported policy format version" | |
129 | depends on SECURITY_SELINUX | |
130 | default n | |
131 | help | |
132 | This option enables the maximum policy format version supported | |
133 | by SELinux to be set to a particular value. This value is reported | |
134 | to userspace via /selinux/policyvers and used at policy load time. | |
135 | It can be adjusted downward to support legacy userland (init) that | |
136 | does not correctly handle kernels that support newer policy versions. | |
137 | ||
138 | Examples: | |
139 | For the Fedora Core 3 or 4 Linux distributions, enable this option | |
3dde6ad8 | 140 | and set the value via the next option. For Fedora Core 5 and later, |
016b9bdb SS |
141 | do not enable this option. |
142 | ||
143 | If you are unsure how to answer this question, answer N. | |
144 | ||
145 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE | |
146 | int "NSA SELinux maximum supported policy format version value" | |
147 | depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX | |
3bb56b25 | 148 | range 15 22 |
016b9bdb SS |
149 | default 19 |
150 | help | |
151 | This option sets the value for the maximum policy format version | |
152 | supported by SELinux. | |
153 | ||
154 | Examples: | |
155 | For Fedora Core 3, use 18. | |
156 | For Fedora Core 4, use 19. | |
157 | ||
158 | If you are unsure how to answer this question, look for the | |
159 | policy format version supported by your policy toolchain, by | |
160 | running 'checkpolicy -V'. Or look at what policy you have | |
161 | installed under /etc/selinux/$SELINUXTYPE/policy, where | |
162 | SELINUXTYPE is defined in your /etc/selinux/config. | |
163 |