1 files changed, 51 insertions, 84 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index bca1b74a4a2f..5588c4d573f6 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -1,15 +1,16 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_SELINUX
-	bool "NSA SELinux Support"
+	bool "SELinux Support"
 	depends on SECURITY_NETWORK && AUDIT && NET && INET
 	select NETWORK_SECMARK
 	default n
 	help
-	  This selects NSA Security-Enhanced Linux (SELinux).
+	  This selects Security-Enhanced Linux (SELinux).
 	  You will also need a policy configuration and a labeled filesystem.
 	  If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_BOOTPARAM
-	bool "NSA SELinux boot parameter"
+	bool "SELinux boot parameter"
 	depends on SECURITY_SELINUX
 	default n
 	help
@@ -22,112 +23,78 @@ config SECURITY_SELINUX_BOOTPARAM
 
 	  If you are unsure how to answer this question, answer N.
 
-config SECURITY_SELINUX_BOOTPARAM_VALUE
-	int "NSA SELinux boot parameter default value"
-	depends on SECURITY_SELINUX_BOOTPARAM
-	range 0 1
-	default 1
-	help
-	  This option sets the default value for the kernel parameter
-	  'selinux', which allows SELinux to be disabled at boot.  If this
-	  option is set to 0 (zero), the SELinux kernel parameter will
-	  default to 0, disabling SELinux at bootup.  If this option is
-	  set to 1 (one), the SELinux kernel parameter will default to 1,
-	  enabling SELinux at bootup.
-
-	  If you are unsure how to answer this question, answer 1.
-
-config SECURITY_SELINUX_DISABLE
-	bool "NSA SELinux runtime disable"
-	depends on SECURITY_SELINUX
-	default n
-	help
-	  This option enables writing to a selinuxfs node 'disable', which
-	  allows SELinux to be disabled at runtime prior to the policy load.
-	  SELinux will then remain disabled until the next boot.
-	  This option is similar to the selinux=0 boot parameter, but is to
-	  support runtime disabling of SELinux, e.g. from /sbin/init, for
-	  portability across platforms where boot parameters are difficult
-	  to employ.
-
-	  If you are unsure how to answer this question, answer N.
-
 config SECURITY_SELINUX_DEVELOP
-	bool "NSA SELinux Development Support"
+	bool "SELinux Development Support"
 	depends on SECURITY_SELINUX
 	default y
 	help
-	  This enables the development support option of NSA SELinux,
+	  This enables the development support option of SELinux,
 	  which is useful for experimenting with SELinux and developing
 	  policies.  If unsure, say Y.  With this option enabled, the
 	  kernel will start in permissive mode (log everything, deny nothing)
 	  unless you specify enforcing=1 on the kernel command line.  You
 	  can interactively toggle the kernel between enforcing mode and
-	  permissive mode (if permitted by the policy) via /selinux/enforce.
+	  permissive mode (if permitted by the policy) via
+	  /sys/fs/selinux/enforce.
 
 config SECURITY_SELINUX_AVC_STATS
-	bool "NSA SELinux AVC Statistics"
+	bool "SELinux AVC Statistics"
 	depends on SECURITY_SELINUX
 	default y
 	help
 	  This option collects access vector cache statistics to
-	  /selinux/avc/cache_stats, which may be monitored via
+	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
 	  tools such as avcstat.
 
-config SECURITY_SELINUX_CHECKREQPROT_VALUE
-	int "NSA SELinux checkreqprot default value"
+config SECURITY_SELINUX_SIDTAB_HASH_BITS
+	int "SELinux sidtab hashtable size"
 	depends on SECURITY_SELINUX
-	range 0 1
-	default 1
+	range 8 13
+	default 9
 	help
-	  This option sets the default value for the 'checkreqprot' flag
-	  that determines whether SELinux checks the protection requested
-	  by the application or the protection that will be applied by the
-	  kernel (including any implied execute for read-implies-exec) for
-	  mmap and mprotect calls.  If this option is set to 0 (zero),
-	  SELinux will default to checking the protection that will be applied
-	  by the kernel.  If this option is set to 1 (one), SELinux will
-	  default to checking the protection requested by the application.
-	  The checkreqprot flag may be changed from the default via the
-	  'checkreqprot=' boot parameter.  It may also be changed at runtime
-	  via /selinux/checkreqprot if authorized by policy.
-
-	  If you are unsure how to answer this question, answer 1.
-
-config SECURITY_SELINUX_POLICYDB_VERSION_MAX
-	bool "NSA SELinux maximum supported policy format version"
+	  This option sets the number of buckets used in the sidtab hashtable
+	  to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
+	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
+	  chain lengths are high (e.g. > 20) then selecting a higher value here
+	  will ensure that lookups times are short and stable.
+
+config SECURITY_SELINUX_SID2STR_CACHE_SIZE
+	int "SELinux SID to context string translation cache size"
 	depends on SECURITY_SELINUX
-	default n
+	default 256
 	help
-	  This option enables the maximum policy format version supported
-	  by SELinux to be set to a particular value.  This value is reported
-	  to userspace via /selinux/policyvers and used at policy load time.
-	  It can be adjusted downward to support legacy userland (init) that
-	  does not correctly handle kernels that support newer policy versions.
+	  This option defines the size of the internal SID -> context string
+	  cache, which improves the performance of context to string
+	  conversion.  Setting this option to 0 disables the cache completely.
 
-	  Examples:
-	  For the Fedora Core 3 or 4 Linux distributions, enable this option
-	  and set the value via the next option. For Fedora Core 5 and later,
-	  do not enable this option.
+	  If unsure, keep the default value.
 
-	  If you are unsure how to answer this question, answer N.
+config SECURITY_SELINUX_AVC_HASH_BITS
+	int "SELinux avc hashtable size"
+	depends on SECURITY_SELINUX
+	range 9 14
+	default 9
+	help
+	  This option sets the number of buckets used in the AVC hash table
+	  to 2^SECURITY_SELINUX_AVC_HASH_BITS. A higher value helps maintain
+	  shorter chain lengths especially when expanding AVC nodes via
+	  /sys/fs/selinux/avc/cache_threshold.
 
-config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
-	int "NSA SELinux maximum supported policy format version value"
-	depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
-	range 15 23
-	default 19
+config SECURITY_SELINUX_DEBUG
+	bool "SELinux kernel debugging support"
+	depends on SECURITY_SELINUX
+	default n
 	help
-	  This option sets the value for the maximum policy format version
-	  supported by SELinux.
+	  This enables debugging code designed to help SELinux kernel
+	  developers, unless you know what this does in the kernel code you
+	  should leave this disabled.
 
-	  Examples:
-	  For Fedora Core 3, use 18.
-	  For Fedora Core 4, use 19.
+	  To fine control the messages to be printed enable
+	  CONFIG_DYNAMIC_DEBUG and see
+	  Documentation/admin-guide/dynamic-debug-howto.rst for additional
+	  information.
 
-	  If you are unsure how to answer this question, look for the
-	  policy format version supported by your policy toolchain, by
-	  running 'checkpolicy -V'. Or look at what policy you have
-	  installed under /etc/selinux/$SELINUXTYPE/policy, where
-	  SELINUXTYPE is defined in your /etc/selinux/config.
+	  Example usage:
 
+		echo -n 'file "security/selinux/*" +p' > \
+			/proc/dynamic_debug/control