| config SECURITY_SELINUX |
| bool "NSA SELinux Support" |
| depends on SECURITY_NETWORK && AUDIT && NET && INET |
| select NETWORK_SECMARK |
| default n |
| help |
| This selects NSA Security-Enhanced Linux (SELinux). |
| You will also need a policy configuration and a labeled filesystem. |
| You can obtain the policy compiler (checkpolicy), the utility for |
| labeling filesystems (setfiles), and an example policy configuration |
| from <http://www.nsa.gov/selinux/>. |
| If you are unsure how to answer this question, answer N. |
| |
| config SECURITY_SELINUX_BOOTPARAM |
| bool "NSA SELinux boot parameter" |
| depends on SECURITY_SELINUX |
| default n |
| help |
| This option adds a kernel parameter 'selinux', which allows SELinux |
| to be disabled at boot. If this option is selected, SELinux |
| functionality can be disabled with selinux=0 on the kernel |
| command line. The purpose of this option is to allow a single |
| kernel image to be distributed with SELinux built in, but not |
| necessarily enabled. |
| |
| If you are unsure how to answer this question, answer N. |
| |
| config SECURITY_SELINUX_BOOTPARAM_VALUE |
| int "NSA SELinux boot parameter default value" |
| depends on SECURITY_SELINUX_BOOTPARAM |
| range 0 1 |
| default 1 |
| help |
| This option sets the default value for the kernel parameter |
| 'selinux', which allows SELinux to be disabled at boot. If this |
| option is set to 0 (zero), the SELinux kernel parameter will |
| default to 0, disabling SELinux at bootup. If this option is |
| set to 1 (one), the SELinux kernel parameter will default to 1, |
| enabling SELinux at bootup. |
| |
| If you are unsure how to answer this question, answer 1. |
| |
| config SECURITY_SELINUX_DISABLE |
| bool "NSA SELinux runtime disable" |
| depends on SECURITY_SELINUX |
| default n |
| help |
| This option enables writing to a selinuxfs node 'disable', which |
| allows SELinux to be disabled at runtime prior to the policy load. |
| SELinux will then remain disabled until the next boot. |
| This option is similar to the selinux=0 boot parameter, but is to |
| support runtime disabling of SELinux, e.g. from /sbin/init, for |
| portability across platforms where boot parameters are difficult |
| to employ. |
| |
| If you are unsure how to answer this question, answer N. |
| |
| config SECURITY_SELINUX_DEVELOP |
| bool "NSA SELinux Development Support" |
| depends on SECURITY_SELINUX |
| default y |
| help |
| This enables the development support option of NSA SELinux, |
| which is useful for experimenting with SELinux and developing |
| policies. If unsure, say Y. With this option enabled, the |
| kernel will start in permissive mode (log everything, deny nothing) |
| unless you specify enforcing=1 on the kernel command line. You |
| can interactively toggle the kernel between enforcing mode and |
| permissive mode (if permitted by the policy) via /selinux/enforce. |
| |
| config SECURITY_SELINUX_AVC_STATS |
| bool "NSA SELinux AVC Statistics" |
| depends on SECURITY_SELINUX |
| default y |
| help |
| This option collects access vector cache statistics to |
| /selinux/avc/cache_stats, which may be monitored via |
| tools such as avcstat. |
| |
| config SECURITY_SELINUX_CHECKREQPROT_VALUE |
| int "NSA SELinux checkreqprot default value" |
| depends on SECURITY_SELINUX |
| range 0 1 |
| default 1 |
| help |
| This option sets the default value for the 'checkreqprot' flag |
| that determines whether SELinux checks the protection requested |
| by the application or the protection that will be applied by the |
| kernel (including any implied execute for read-implies-exec) for |
| mmap and mprotect calls. If this option is set to 0 (zero), |
| SELinux will default to checking the protection that will be applied |
| by the kernel. If this option is set to 1 (one), SELinux will |
| default to checking the protection requested by the application. |
| The checkreqprot flag may be changed from the default via the |
| 'checkreqprot=' boot parameter. It may also be changed at runtime |
| via /selinux/checkreqprot if authorized by policy. |
| |
| If you are unsure how to answer this question, answer 1. |
| |
| config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT |
| bool "NSA SELinux enable new secmark network controls by default" |
| depends on SECURITY_SELINUX |
| default n |
| help |
| This option determines whether the new secmark-based network |
| controls will be enabled by default. If not, the old internal |
| per-packet controls will be enabled by default, preserving |
| old behavior. |
| |
| If you enable the new controls, you will need updated |
| SELinux userspace libraries, tools and policy. Typically, |
| your distribution will provide these and enable the new controls |
| in the kernel they also distribute. |
| |
| Note that this option can be overridden at boot with the |
| selinux_compat_net parameter, and after boot via |
| /selinux/compat_net. See Documentation/kernel-parameters.txt |
| for details on this parameter. |
| |
| If you enable the new network controls, you will likely |
| also require the SECMARK and CONNSECMARK targets, as |
| well as any conntrack helpers for protocols which you |
| wish to control. |
| |
| If you are unsure what to do here, select N. |
| |
| config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
| bool "NSA SELinux maximum supported policy format version" |
| depends on SECURITY_SELINUX |
| default n |
| help |
| This option enables the maximum policy format version supported |
| by SELinux to be set to a particular value. This value is reported |
| to userspace via /selinux/policyvers and used at policy load time. |
| It can be adjusted downward to support legacy userland (init) that |
| does not correctly handle kernels that support newer policy versions. |
| |
| Examples: |
| For the Fedora Core 3 or 4 Linux distributions, enable this option |
| and set the value via the next option. For Fedore Core 5 and later, |
| do not enable this option. |
| |
| If you are unsure how to answer this question, answer N. |
| |
| config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE |
| int "NSA SELinux maximum supported policy format version value" |
| depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX |
| range 15 21 |
| default 19 |
| help |
| This option sets the value for the maximum policy format version |
| supported by SELinux. |
| |
| Examples: |
| For Fedora Core 3, use 18. |
| For Fedora Core 4, use 19. |
| |
| If you are unsure how to answer this question, look for the |
| policy format version supported by your policy toolchain, by |
| running 'checkpolicy -V'. Or look at what policy you have |
| installed under /etc/selinux/$SELINUXTYPE/policy, where |
| SELINUXTYPE is defined in your /etc/selinux/config. |
| |