]>
Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | config SECURITY_SELINUX |
3 | bool "NSA SELinux Support" | |
99f6d61b | 4 | depends on SECURITY_NETWORK && AUDIT && NET && INET |
4e5ab4cb | 5 | select NETWORK_SECMARK |
1da177e4 LT |
6 | default n |
7 | help | |
8 | This selects NSA Security-Enhanced Linux (SELinux). | |
9 | You will also need a policy configuration and a labeled filesystem. | |
1da177e4 LT |
10 | If you are unsure how to answer this question, answer N. |
11 | ||
12 | config SECURITY_SELINUX_BOOTPARAM | |
13 | bool "NSA SELinux boot parameter" | |
14 | depends on SECURITY_SELINUX | |
15 | default n | |
16 | help | |
17 | This option adds a kernel parameter 'selinux', which allows SELinux | |
18 | to be disabled at boot. If this option is selected, SELinux | |
19 | functionality can be disabled with selinux=0 on the kernel | |
20 | command line. The purpose of this option is to allow a single | |
21 | kernel image to be distributed with SELinux built in, but not | |
22 | necessarily enabled. | |
23 | ||
24 | If you are unsure how to answer this question, answer N. | |
25 | ||
1da177e4 LT |
26 | config SECURITY_SELINUX_DISABLE |
27 | bool "NSA SELinux runtime disable" | |
28 | depends on SECURITY_SELINUX | |
dd0859dc | 29 | select SECURITY_WRITABLE_HOOKS |
1da177e4 LT |
30 | default n |
31 | help | |
32 | This option enables writing to a selinuxfs node 'disable', which | |
33 | allows SELinux to be disabled at runtime prior to the policy load. | |
34 | SELinux will then remain disabled until the next boot. | |
35 | This option is similar to the selinux=0 boot parameter, but is to | |
36 | support runtime disabling of SELinux, e.g. from /sbin/init, for | |
37 | portability across platforms where boot parameters are difficult | |
38 | to employ. | |
39 | ||
dd0859dc JM |
40 | NOTE: selecting this option will disable the '__ro_after_init' |
41 | kernel hardening feature for security hooks. Please consider | |
42 | using the selinux=0 boot parameter instead of enabling this | |
43 | option. | |
44 | ||
1da177e4 LT |
45 | If you are unsure how to answer this question, answer N. |
46 | ||
47 | config SECURITY_SELINUX_DEVELOP | |
48 | bool "NSA SELinux Development Support" | |
49 | depends on SECURITY_SELINUX | |
50 | default y | |
51 | help | |
52 | This enables the development support option of NSA SELinux, | |
53 | which is useful for experimenting with SELinux and developing | |
54 | policies. If unsure, say Y. With this option enabled, the | |
55 | kernel will start in permissive mode (log everything, deny nothing) | |
56 | unless you specify enforcing=1 on the kernel command line. You | |
57 | can interactively toggle the kernel between enforcing mode and | |
58 | permissive mode (if permitted by the policy) via /selinux/enforce. | |
59 | ||
60 | config SECURITY_SELINUX_AVC_STATS | |
61 | bool "NSA SELinux AVC Statistics" | |
62 | depends on SECURITY_SELINUX | |
63 | default y | |
64 | help | |
65 | This option collects access vector cache statistics to | |
66 | /selinux/avc/cache_stats, which may be monitored via | |
67 | tools such as avcstat. | |
68 | ||
69 | config SECURITY_SELINUX_CHECKREQPROT_VALUE | |
70 | int "NSA SELinux checkreqprot default value" | |
71 | depends on SECURITY_SELINUX | |
72 | range 0 1 | |
2a35d196 | 73 | default 0 |
1da177e4 LT |
74 | help |
75 | This option sets the default value for the 'checkreqprot' flag | |
76 | that determines whether SELinux checks the protection requested | |
77 | by the application or the protection that will be applied by the | |
78 | kernel (including any implied execute for read-implies-exec) for | |
79 | mmap and mprotect calls. If this option is set to 0 (zero), | |
80 | SELinux will default to checking the protection that will be applied | |
81 | by the kernel. If this option is set to 1 (one), SELinux will | |
82 | default to checking the protection requested by the application. | |
83 | The checkreqprot flag may be changed from the default via the | |
84 | 'checkreqprot=' boot parameter. It may also be changed at runtime | |
85 | via /selinux/checkreqprot if authorized by policy. | |
86 | ||
2a35d196 | 87 | If you are unsure how to answer this question, answer 0. |