diff options
Diffstat (limited to 'security/selinux/Kconfig')
| -rw-r--r-- | security/selinux/Kconfig | 93 |
1 files changed, 38 insertions, 55 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 9e921fc72538..5588c4d573f6 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -1,16 +1,16 @@ # SPDX-License-Identifier: GPL-2.0-only config SECURITY_SELINUX - bool "NSA SELinux Support" + bool "SELinux Support" depends on SECURITY_NETWORK && AUDIT && NET && INET select NETWORK_SECMARK default n help - This selects NSA Security-Enhanced Linux (SELinux). + This selects Security-Enhanced Linux (SELinux). You will also need a policy configuration and a labeled filesystem. If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_BOOTPARAM - bool "NSA SELinux boot parameter" + bool "SELinux boot parameter" depends on SECURITY_SELINUX default n help @@ -23,36 +23,12 @@ config SECURITY_SELINUX_BOOTPARAM If you are unsure how to answer this question, answer N. -config SECURITY_SELINUX_DISABLE - bool "NSA SELinux runtime disable" - depends on SECURITY_SELINUX - select SECURITY_WRITABLE_HOOKS - default n - help - This option enables writing to a selinuxfs node 'disable', which - allows SELinux to be disabled at runtime prior to the policy load. - SELinux will then remain disabled until the next boot. - This option is similar to the selinux=0 boot parameter, but is to - support runtime disabling of SELinux, e.g. from /sbin/init, for - portability across platforms where boot parameters are difficult - to employ. - - NOTE: selecting this option will disable the '__ro_after_init' - kernel hardening feature for security hooks. Please consider - using the selinux=0 boot parameter instead of enabling this - option. - - WARNING: this option is deprecated and will be removed in a future - kernel release. - - If you are unsure how to answer this question, answer N. - config SECURITY_SELINUX_DEVELOP - bool "NSA SELinux Development Support" + bool "SELinux Development Support" depends on SECURITY_SELINUX default y help - This enables the development support option of NSA SELinux, + This enables the development support option of SELinux, which is useful for experimenting with SELinux and developing policies. If unsure, say Y. With this option enabled, the kernel will start in permissive mode (log everything, deny nothing) @@ -62,7 +38,7 @@ config SECURITY_SELINUX_DEVELOP /sys/fs/selinux/enforce. config SECURITY_SELINUX_AVC_STATS - bool "NSA SELinux AVC Statistics" + bool "SELinux AVC Statistics" depends on SECURITY_SELINUX default y help @@ -70,31 +46,8 @@ config SECURITY_SELINUX_AVC_STATS /sys/fs/selinux/avc/cache_stats, which may be monitored via tools such as avcstat. -config SECURITY_SELINUX_CHECKREQPROT_VALUE - int "NSA SELinux checkreqprot default value" - depends on SECURITY_SELINUX - range 0 1 - default 0 - help - This option sets the default value for the 'checkreqprot' flag - that determines whether SELinux checks the protection requested - by the application or the protection that will be applied by the - kernel (including any implied execute for read-implies-exec) for - mmap and mprotect calls. If this option is set to 0 (zero), - SELinux will default to checking the protection that will be applied - by the kernel. If this option is set to 1 (one), SELinux will - default to checking the protection requested by the application. - The checkreqprot flag may be changed from the default via the - 'checkreqprot=' boot parameter. It may also be changed at runtime - via /sys/fs/selinux/checkreqprot if authorized by policy. - - WARNING: this option is deprecated and will be removed in a future - kernel release. - - If you are unsure how to answer this question, answer 0. - config SECURITY_SELINUX_SIDTAB_HASH_BITS - int "NSA SELinux sidtab hashtable size" + int "SELinux sidtab hashtable size" depends on SECURITY_SELINUX range 8 13 default 9 @@ -106,7 +59,7 @@ config SECURITY_SELINUX_SIDTAB_HASH_BITS will ensure that lookups times are short and stable. config SECURITY_SELINUX_SID2STR_CACHE_SIZE - int "NSA SELinux SID to context string translation cache size" + int "SELinux SID to context string translation cache size" depends on SECURITY_SELINUX default 256 help @@ -115,3 +68,33 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE conversion. Setting this option to 0 disables the cache completely. If unsure, keep the default value. + +config SECURITY_SELINUX_AVC_HASH_BITS + int "SELinux avc hashtable size" + depends on SECURITY_SELINUX + range 9 14 + default 9 + help + This option sets the number of buckets used in the AVC hash table + to 2^SECURITY_SELINUX_AVC_HASH_BITS. A higher value helps maintain + shorter chain lengths especially when expanding AVC nodes via + /sys/fs/selinux/avc/cache_threshold. + +config SECURITY_SELINUX_DEBUG + bool "SELinux kernel debugging support" + depends on SECURITY_SELINUX + default n + help + This enables debugging code designed to help SELinux kernel + developers, unless you know what this does in the kernel code you + should leave this disabled. + + To fine control the messages to be printed enable + CONFIG_DYNAMIC_DEBUG and see + Documentation/admin-guide/dynamic-debug-howto.rst for additional + information. + + Example usage: + + echo -n 'file "security/selinux/*" +p' > \ + /proc/dynamic_debug/control |