Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | config SECURITY_SELINUX |
| 2 | bool "NSA SELinux Support" |
Stephen Smalley | 99f6d61 | 2006-02-07 12:58:51 -0800 | [diff] [blame] | 3 | depends on SECURITY_NETWORK && AUDIT && NET && INET |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 4 | select NETWORK_SECMARK |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 5 | default n |
| 6 | help |
| 7 | This selects NSA Security-Enhanced Linux (SELinux). |
| 8 | You will also need a policy configuration and a labeled filesystem. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 9 | If you are unsure how to answer this question, answer N. |
| 10 | |
| 11 | config SECURITY_SELINUX_BOOTPARAM |
| 12 | bool "NSA SELinux boot parameter" |
| 13 | depends on SECURITY_SELINUX |
| 14 | default n |
| 15 | help |
| 16 | This option adds a kernel parameter 'selinux', which allows SELinux |
| 17 | to be disabled at boot. If this option is selected, SELinux |
| 18 | functionality can be disabled with selinux=0 on the kernel |
| 19 | command line. The purpose of this option is to allow a single |
| 20 | kernel image to be distributed with SELinux built in, but not |
| 21 | necessarily enabled. |
| 22 | |
| 23 | If you are unsure how to answer this question, answer N. |
| 24 | |
| 25 | config SECURITY_SELINUX_BOOTPARAM_VALUE |
| 26 | int "NSA SELinux boot parameter default value" |
| 27 | depends on SECURITY_SELINUX_BOOTPARAM |
| 28 | range 0 1 |
| 29 | default 1 |
| 30 | help |
| 31 | This option sets the default value for the kernel parameter |
| 32 | 'selinux', which allows SELinux to be disabled at boot. If this |
| 33 | option is set to 0 (zero), the SELinux kernel parameter will |
| 34 | default to 0, disabling SELinux at bootup. If this option is |
| 35 | set to 1 (one), the SELinux kernel parameter will default to 1, |
| 36 | enabling SELinux at bootup. |
| 37 | |
| 38 | If you are unsure how to answer this question, answer 1. |
| 39 | |
| 40 | config SECURITY_SELINUX_DISABLE |
| 41 | bool "NSA SELinux runtime disable" |
| 42 | depends on SECURITY_SELINUX |
| 43 | default n |
| 44 | help |
| 45 | This option enables writing to a selinuxfs node 'disable', which |
| 46 | allows SELinux to be disabled at runtime prior to the policy load. |
| 47 | SELinux will then remain disabled until the next boot. |
| 48 | This option is similar to the selinux=0 boot parameter, but is to |
| 49 | support runtime disabling of SELinux, e.g. from /sbin/init, for |
| 50 | portability across platforms where boot parameters are difficult |
| 51 | to employ. |
| 52 | |
| 53 | If you are unsure how to answer this question, answer N. |
| 54 | |
| 55 | config SECURITY_SELINUX_DEVELOP |
| 56 | bool "NSA SELinux Development Support" |
| 57 | depends on SECURITY_SELINUX |
| 58 | default y |
| 59 | help |
| 60 | This enables the development support option of NSA SELinux, |
| 61 | which is useful for experimenting with SELinux and developing |
| 62 | policies. If unsure, say Y. With this option enabled, the |
| 63 | kernel will start in permissive mode (log everything, deny nothing) |
| 64 | unless you specify enforcing=1 on the kernel command line. You |
| 65 | can interactively toggle the kernel between enforcing mode and |
| 66 | permissive mode (if permitted by the policy) via /selinux/enforce. |
| 67 | |
| 68 | config SECURITY_SELINUX_AVC_STATS |
| 69 | bool "NSA SELinux AVC Statistics" |
| 70 | depends on SECURITY_SELINUX |
| 71 | default y |
| 72 | help |
| 73 | This option collects access vector cache statistics to |
| 74 | /selinux/avc/cache_stats, which may be monitored via |
| 75 | tools such as avcstat. |
| 76 | |
| 77 | config SECURITY_SELINUX_CHECKREQPROT_VALUE |
| 78 | int "NSA SELinux checkreqprot default value" |
| 79 | depends on SECURITY_SELINUX |
| 80 | range 0 1 |
| 81 | default 1 |
| 82 | help |
| 83 | This option sets the default value for the 'checkreqprot' flag |
| 84 | that determines whether SELinux checks the protection requested |
| 85 | by the application or the protection that will be applied by the |
| 86 | kernel (including any implied execute for read-implies-exec) for |
| 87 | mmap and mprotect calls. If this option is set to 0 (zero), |
| 88 | SELinux will default to checking the protection that will be applied |
| 89 | by the kernel. If this option is set to 1 (one), SELinux will |
| 90 | default to checking the protection requested by the application. |
| 91 | The checkreqprot flag may be changed from the default via the |
| 92 | 'checkreqprot=' boot parameter. It may also be changed at runtime |
| 93 | via /selinux/checkreqprot if authorized by policy. |
| 94 | |
| 95 | If you are unsure how to answer this question, answer 1. |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 96 | |
| 97 | config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT |
| 98 | bool "NSA SELinux enable new secmark network controls by default" |
| 99 | depends on SECURITY_SELINUX |
| 100 | default n |
| 101 | help |
| 102 | This option determines whether the new secmark-based network |
| 103 | controls will be enabled by default. If not, the old internal |
| 104 | per-packet controls will be enabled by default, preserving |
| 105 | old behavior. |
| 106 | |
| 107 | If you enable the new controls, you will need updated |
| 108 | SELinux userspace libraries, tools and policy. Typically, |
| 109 | your distribution will provide these and enable the new controls |
| 110 | in the kernel they also distribute. |
| 111 | |
Matt LaPlante | 44c0920 | 2006-10-03 22:34:14 +0200 | [diff] [blame] | 112 | Note that this option can be overridden at boot with the |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 113 | selinux_compat_net parameter, and after boot via |
| 114 | /selinux/compat_net. See Documentation/kernel-parameters.txt |
| 115 | for details on this parameter. |
| 116 | |
| 117 | If you enable the new network controls, you will likely |
| 118 | also require the SECMARK and CONNSECMARK targets, as |
| 119 | well as any conntrack helpers for protocols which you |
| 120 | wish to control. |
| 121 | |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 122 | If you are unsure what to do here, select N. |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 123 | |
Stephen Smalley | 016b9bd | 2006-09-25 23:31:58 -0700 | [diff] [blame] | 124 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX |
| 125 | bool "NSA SELinux maximum supported policy format version" |
| 126 | depends on SECURITY_SELINUX |
| 127 | default n |
| 128 | help |
| 129 | This option enables the maximum policy format version supported |
| 130 | by SELinux to be set to a particular value. This value is reported |
| 131 | to userspace via /selinux/policyvers and used at policy load time. |
| 132 | It can be adjusted downward to support legacy userland (init) that |
| 133 | does not correctly handle kernels that support newer policy versions. |
| 134 | |
| 135 | Examples: |
| 136 | For the Fedora Core 3 or 4 Linux distributions, enable this option |
David Sterba | 3dde6ad | 2007-05-09 07:12:20 +0200 | [diff] [blame] | 137 | and set the value via the next option. For Fedora Core 5 and later, |
Stephen Smalley | 016b9bd | 2006-09-25 23:31:58 -0700 | [diff] [blame] | 138 | do not enable this option. |
| 139 | |
| 140 | If you are unsure how to answer this question, answer N. |
| 141 | |
| 142 | config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE |
| 143 | int "NSA SELinux maximum supported policy format version value" |
| 144 | depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX |
Eric Paris | 64dbf07 | 2008-03-31 12:17:33 +1100 | [diff] [blame] | 145 | range 15 23 |
Stephen Smalley | 016b9bd | 2006-09-25 23:31:58 -0700 | [diff] [blame] | 146 | default 19 |
| 147 | help |
| 148 | This option sets the value for the maximum policy format version |
| 149 | supported by SELinux. |
| 150 | |
| 151 | Examples: |
| 152 | For Fedora Core 3, use 18. |
| 153 | For Fedora Core 4, use 19. |
| 154 | |
| 155 | If you are unsure how to answer this question, look for the |
| 156 | policy format version supported by your policy toolchain, by |
| 157 | running 'checkpolicy -V'. Or look at what policy you have |
| 158 | installed under /etc/selinux/$SELINUXTYPE/policy, where |
| 159 | SELINUXTYPE is defined in your /etc/selinux/config. |
| 160 | |