Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | config SECURITY_SELINUX |
3 | bool "NSA SELinux Support" | |
99f6d61b | 4 | depends on SECURITY_NETWORK && AUDIT && NET && INET |
4e5ab4cb | 5 | select NETWORK_SECMARK |
1da177e4 LT |
6 | default n |
7 | help | |
8 | This selects NSA Security-Enhanced Linux (SELinux). | |
9 | You will also need a policy configuration and a labeled filesystem. | |
1da177e4 LT |
10 | If you are unsure how to answer this question, answer N. |
11 | ||
12 | config SECURITY_SELINUX_BOOTPARAM | |
13 | bool "NSA SELinux boot parameter" | |
14 | depends on SECURITY_SELINUX | |
15 | default n | |
16 | help | |
17 | This option adds a kernel parameter 'selinux', which allows SELinux | |
18 | to be disabled at boot. If this option is selected, SELinux | |
19 | functionality can be disabled with selinux=0 on the kernel | |
20 | command line. The purpose of this option is to allow a single | |
21 | kernel image to be distributed with SELinux built in, but not | |
22 | necessarily enabled. | |
23 | ||
24 | If you are unsure how to answer this question, answer N. | |
25 | ||
1da177e4 LT |
26 | config SECURITY_SELINUX_DEVELOP |
27 | bool "NSA SELinux Development Support" | |
28 | depends on SECURITY_SELINUX | |
29 | default y | |
30 | help | |
31 | This enables the development support option of NSA SELinux, | |
32 | which is useful for experimenting with SELinux and developing | |
33 | policies. If unsure, say Y. With this option enabled, the | |
34 | kernel will start in permissive mode (log everything, deny nothing) | |
35 | unless you specify enforcing=1 on the kernel command line. You | |
36 | can interactively toggle the kernel between enforcing mode and | |
d41415eb SS |
37 | permissive mode (if permitted by the policy) via |
38 | /sys/fs/selinux/enforce. | |
1da177e4 LT |
39 | |
40 | config SECURITY_SELINUX_AVC_STATS | |
41 | bool "NSA SELinux AVC Statistics" | |
42 | depends on SECURITY_SELINUX | |
43 | default y | |
44 | help | |
45 | This option collects access vector cache statistics to | |
d41415eb | 46 | /sys/fs/selinux/avc/cache_stats, which may be monitored via |
1da177e4 LT |
47 | tools such as avcstat. |
48 | ||
66f8e2f0 JVS |
49 | config SECURITY_SELINUX_SIDTAB_HASH_BITS |
50 | int "NSA SELinux sidtab hashtable size" | |
51 | depends on SECURITY_SELINUX | |
52 | range 8 13 | |
53 | default 9 | |
54 | help | |
55 | This option sets the number of buckets used in the sidtab hashtable | |
56 | to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash | |
57 | collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If | |
58 | chain lengths are high (e.g. > 20) then selecting a higher value here | |
59 | will ensure that lookups times are short and stable. | |
d97bd23c OM |
60 | |
61 | config SECURITY_SELINUX_SID2STR_CACHE_SIZE | |
62 | int "NSA SELinux SID to context string translation cache size" | |
63 | depends on SECURITY_SELINUX | |
64 | default 256 | |
65 | help | |
66 | This option defines the size of the internal SID -> context string | |
67 | cache, which improves the performance of context to string | |
68 | conversion. Setting this option to 0 disables the cache completely. | |
69 | ||
70 | If unsure, keep the default value. |