Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 2 | config SECURITY_SELINUX |
| 3 | bool "NSA SELinux Support" |
Stephen Smalley | 99f6d61 | 2006-02-07 12:58:51 -0800 | [diff] [blame] | 4 | depends on SECURITY_NETWORK && AUDIT && NET && INET |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 5 | select NETWORK_SECMARK |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 6 | default n |
| 7 | help |
| 8 | This selects NSA Security-Enhanced Linux (SELinux). |
| 9 | You will also need a policy configuration and a labeled filesystem. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 10 | If you are unsure how to answer this question, answer N. |
| 11 | |
| 12 | config SECURITY_SELINUX_BOOTPARAM |
| 13 | bool "NSA SELinux boot parameter" |
| 14 | depends on SECURITY_SELINUX |
| 15 | default n |
| 16 | help |
| 17 | This option adds a kernel parameter 'selinux', which allows SELinux |
| 18 | to be disabled at boot. If this option is selected, SELinux |
| 19 | functionality can be disabled with selinux=0 on the kernel |
| 20 | command line. The purpose of this option is to allow a single |
| 21 | kernel image to be distributed with SELinux built in, but not |
| 22 | necessarily enabled. |
| 23 | |
| 24 | If you are unsure how to answer this question, answer N. |
| 25 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 26 | config SECURITY_SELINUX_DISABLE |
| 27 | bool "NSA SELinux runtime disable" |
| 28 | depends on SECURITY_SELINUX |
James Morris | dd0859d | 2017-02-15 00:17:24 +1100 | [diff] [blame] | 29 | select SECURITY_WRITABLE_HOOKS |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 30 | default n |
| 31 | help |
| 32 | This option enables writing to a selinuxfs node 'disable', which |
| 33 | allows SELinux to be disabled at runtime prior to the policy load. |
| 34 | SELinux will then remain disabled until the next boot. |
| 35 | This option is similar to the selinux=0 boot parameter, but is to |
| 36 | support runtime disabling of SELinux, e.g. from /sbin/init, for |
| 37 | portability across platforms where boot parameters are difficult |
| 38 | to employ. |
| 39 | |
James Morris | dd0859d | 2017-02-15 00:17:24 +1100 | [diff] [blame] | 40 | NOTE: selecting this option will disable the '__ro_after_init' |
| 41 | kernel hardening feature for security hooks. Please consider |
| 42 | using the selinux=0 boot parameter instead of enabling this |
| 43 | option. |
| 44 | |
Paul Moore | 89b223b | 2019-12-18 21:45:08 -0500 | [diff] [blame] | 45 | WARNING: this option is deprecated and will be removed in a future |
| 46 | kernel release. |
| 47 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 48 | If you are unsure how to answer this question, answer N. |
| 49 | |
| 50 | config SECURITY_SELINUX_DEVELOP |
| 51 | bool "NSA SELinux Development Support" |
| 52 | depends on SECURITY_SELINUX |
| 53 | default y |
| 54 | help |
| 55 | This enables the development support option of NSA SELinux, |
| 56 | which is useful for experimenting with SELinux and developing |
| 57 | policies. If unsure, say Y. With this option enabled, the |
| 58 | kernel will start in permissive mode (log everything, deny nothing) |
| 59 | unless you specify enforcing=1 on the kernel command line. You |
| 60 | can interactively toggle the kernel between enforcing mode and |
Stephen Smalley | d41415e | 2020-01-07 11:35:04 -0500 | [diff] [blame] | 61 | permissive mode (if permitted by the policy) via |
| 62 | /sys/fs/selinux/enforce. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 63 | |
| 64 | config SECURITY_SELINUX_AVC_STATS |
| 65 | bool "NSA SELinux AVC Statistics" |
| 66 | depends on SECURITY_SELINUX |
| 67 | default y |
| 68 | help |
| 69 | This option collects access vector cache statistics to |
Stephen Smalley | d41415e | 2020-01-07 11:35:04 -0500 | [diff] [blame] | 70 | /sys/fs/selinux/avc/cache_stats, which may be monitored via |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 71 | tools such as avcstat. |
| 72 | |
| 73 | config SECURITY_SELINUX_CHECKREQPROT_VALUE |
| 74 | int "NSA SELinux checkreqprot default value" |
| 75 | depends on SECURITY_SELINUX |
| 76 | range 0 1 |
Paul Moore | 2a35d19 | 2015-10-21 17:44:25 -0400 | [diff] [blame] | 77 | default 0 |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 78 | help |
| 79 | This option sets the default value for the 'checkreqprot' flag |
| 80 | that determines whether SELinux checks the protection requested |
| 81 | by the application or the protection that will be applied by the |
| 82 | kernel (including any implied execute for read-implies-exec) for |
| 83 | mmap and mprotect calls. If this option is set to 0 (zero), |
| 84 | SELinux will default to checking the protection that will be applied |
| 85 | by the kernel. If this option is set to 1 (one), SELinux will |
| 86 | default to checking the protection requested by the application. |
| 87 | The checkreqprot flag may be changed from the default via the |
| 88 | 'checkreqprot=' boot parameter. It may also be changed at runtime |
Stephen Smalley | d41415e | 2020-01-07 11:35:04 -0500 | [diff] [blame] | 89 | via /sys/fs/selinux/checkreqprot if authorized by policy. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 90 | |
Stephen Smalley | e9c38f9 | 2020-01-08 11:24:47 -0500 | [diff] [blame] | 91 | WARNING: this option is deprecated and will be removed in a future |
| 92 | kernel release. |
| 93 | |
Paul Moore | 2a35d19 | 2015-10-21 17:44:25 -0400 | [diff] [blame] | 94 | If you are unsure how to answer this question, answer 0. |
Jeff Vander Stoep | 66f8e2f | 2019-11-22 10:33:06 +0100 | [diff] [blame] | 95 | |
| 96 | config SECURITY_SELINUX_SIDTAB_HASH_BITS |
| 97 | int "NSA SELinux sidtab hashtable size" |
| 98 | depends on SECURITY_SELINUX |
| 99 | range 8 13 |
| 100 | default 9 |
| 101 | help |
| 102 | This option sets the number of buckets used in the sidtab hashtable |
| 103 | to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash |
| 104 | collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If |
| 105 | chain lengths are high (e.g. > 20) then selecting a higher value here |
| 106 | will ensure that lookups times are short and stable. |
Ondrej Mosnacek | d97bd23 | 2019-11-26 14:57:00 +0100 | [diff] [blame] | 107 | |
| 108 | config SECURITY_SELINUX_SID2STR_CACHE_SIZE |
| 109 | int "NSA SELinux SID to context string translation cache size" |
| 110 | depends on SECURITY_SELINUX |
| 111 | default 256 |
| 112 | help |
| 113 | This option defines the size of the internal SID -> context string |
| 114 | cache, which improves the performance of context to string |
| 115 | conversion. Setting this option to 0 disables the cache completely. |
| 116 | |
| 117 | If unsure, keep the default value. |