xref: /linux/security/selinux/Kconfig (revision 0ea5c948cb64bab5bc7a5516774eb8536f05aa0d) 
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
21da177e4SLinus Torvaldsconfig SECURITY_SELINUX
390aa4f5eSStephen Smalley	bool "SELinux Support"
499f6d61bSStephen Smalley	depends on SECURITY_NETWORK && AUDIT && NET && INET
54e5ab4cbSJames Morris	select NETWORK_SECMARK
61da177e4SLinus Torvalds	default n
71da177e4SLinus Torvalds	help
890aa4f5eSStephen Smalley	  This selects Security-Enhanced Linux (SELinux).
91da177e4SLinus Torvalds	  You will also need a policy configuration and a labeled filesystem.
101da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
111da177e4SLinus Torvalds
121da177e4SLinus Torvaldsconfig SECURITY_SELINUX_BOOTPARAM
1390aa4f5eSStephen Smalley	bool "SELinux boot parameter"
141da177e4SLinus Torvalds	depends on SECURITY_SELINUX
151da177e4SLinus Torvalds	default n
161da177e4SLinus Torvalds	help
171da177e4SLinus Torvalds	  This option adds a kernel parameter 'selinux', which allows SELinux
181da177e4SLinus Torvalds	  to be disabled at boot.  If this option is selected, SELinux
191da177e4SLinus Torvalds	  functionality can be disabled with selinux=0 on the kernel
201da177e4SLinus Torvalds	  command line.  The purpose of this option is to allow a single
211da177e4SLinus Torvalds	  kernel image to be distributed with SELinux built in, but not
221da177e4SLinus Torvalds	  necessarily enabled.
231da177e4SLinus Torvalds
241da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
251da177e4SLinus Torvalds
261da177e4SLinus Torvaldsconfig SECURITY_SELINUX_DEVELOP
2790aa4f5eSStephen Smalley	bool "SELinux Development Support"
281da177e4SLinus Torvalds	depends on SECURITY_SELINUX
291da177e4SLinus Torvalds	default y
301da177e4SLinus Torvalds	help
3190aa4f5eSStephen Smalley	  This enables the development support option of SELinux,
321da177e4SLinus Torvalds	  which is useful for experimenting with SELinux and developing
331da177e4SLinus Torvalds	  policies.  If unsure, say Y.  With this option enabled, the
341da177e4SLinus Torvalds	  kernel will start in permissive mode (log everything, deny nothing)
351da177e4SLinus Torvalds	  unless you specify enforcing=1 on the kernel command line.  You
361da177e4SLinus Torvalds	  can interactively toggle the kernel between enforcing mode and
37d41415ebSStephen Smalley	  permissive mode (if permitted by the policy) via
38d41415ebSStephen Smalley	  /sys/fs/selinux/enforce.
391da177e4SLinus Torvalds
401da177e4SLinus Torvaldsconfig SECURITY_SELINUX_AVC_STATS
4190aa4f5eSStephen Smalley	bool "SELinux AVC Statistics"
421da177e4SLinus Torvalds	depends on SECURITY_SELINUX
431da177e4SLinus Torvalds	default y
441da177e4SLinus Torvalds	help
451da177e4SLinus Torvalds	  This option collects access vector cache statistics to
46d41415ebSStephen Smalley	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
471da177e4SLinus Torvalds	  tools such as avcstat.
481da177e4SLinus Torvalds
4966f8e2f0SJeff Vander Stoepconfig SECURITY_SELINUX_SIDTAB_HASH_BITS
5090aa4f5eSStephen Smalley	int "SELinux sidtab hashtable size"
5166f8e2f0SJeff Vander Stoep	depends on SECURITY_SELINUX
5266f8e2f0SJeff Vander Stoep	range 8 13
5366f8e2f0SJeff Vander Stoep	default 9
5466f8e2f0SJeff Vander Stoep	help
5566f8e2f0SJeff Vander Stoep	  This option sets the number of buckets used in the sidtab hashtable
5666f8e2f0SJeff Vander Stoep	  to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
5766f8e2f0SJeff Vander Stoep	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
5866f8e2f0SJeff Vander Stoep	  chain lengths are high (e.g. > 20) then selecting a higher value here
5966f8e2f0SJeff Vander Stoep	  will ensure that lookups times are short and stable.
60d97bd23cSOndrej Mosnacek
61d97bd23cSOndrej Mosnacekconfig SECURITY_SELINUX_SID2STR_CACHE_SIZE
6290aa4f5eSStephen Smalley	int "SELinux SID to context string translation cache size"
63d97bd23cSOndrej Mosnacek	depends on SECURITY_SELINUX
64d97bd23cSOndrej Mosnacek	default 256
65d97bd23cSOndrej Mosnacek	help
66d97bd23cSOndrej Mosnacek	  This option defines the size of the internal SID -> context string
67d97bd23cSOndrej Mosnacek	  cache, which improves the performance of context to string
68d97bd23cSOndrej Mosnacek	  conversion.  Setting this option to 0 disables the cache completely.
69d97bd23cSOndrej Mosnacek
70d97bd23cSOndrej Mosnacek	  If unsure, keep the default value.
7155a0e738SChristian Göttsche
7255a0e738SChristian Göttscheconfig SECURITY_SELINUX_DEBUG
7355a0e738SChristian Göttsche	bool "SELinux kernel debugging support"
7455a0e738SChristian Göttsche	depends on SECURITY_SELINUX
7555a0e738SChristian Göttsche	default n
7655a0e738SChristian Göttsche	help
7755a0e738SChristian Göttsche	  This enables debugging code designed to help SELinux kernel
7855a0e738SChristian Göttsche	  developers, unless you know what this does in the kernel code you
7955a0e738SChristian Göttsche	  should leave this disabled.
80*6f594f5aSChristian Göttsche
81*6f594f5aSChristian Göttsche	  To fine control the messages to be printed enable
82*6f594f5aSChristian Göttsche	  CONFIG_DYNAMIC_DEBUG and see
83*6f594f5aSChristian Göttsche	  Documentation/admin-guide/dynamic-debug-howto.rst for additional
84*6f594f5aSChristian Göttsche	  information.
85*6f594f5aSChristian Göttsche
86*6f594f5aSChristian Göttsche	  Example usage:
87*6f594f5aSChristian Göttsche
88*6f594f5aSChristian Göttsche		echo -n 'file "security/selinux/*" +p' > \
89*6f594f5aSChristian Göttsche			/proc/dynamic_debug/control
90