xref: /linux/security/selinux/Kconfig (revision d41415eb5edae2a750940aa24924993b81947040) 
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
21da177e4SLinus Torvaldsconfig SECURITY_SELINUX
31da177e4SLinus Torvalds	bool "NSA SELinux Support"
499f6d61bSStephen Smalley	depends on SECURITY_NETWORK && AUDIT && NET && INET
54e5ab4cbSJames Morris	select NETWORK_SECMARK
61da177e4SLinus Torvalds	default n
71da177e4SLinus Torvalds	help
81da177e4SLinus Torvalds	  This selects NSA Security-Enhanced Linux (SELinux).
91da177e4SLinus Torvalds	  You will also need a policy configuration and a labeled filesystem.
101da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
111da177e4SLinus Torvalds
121da177e4SLinus Torvaldsconfig SECURITY_SELINUX_BOOTPARAM
131da177e4SLinus Torvalds	bool "NSA SELinux boot parameter"
141da177e4SLinus Torvalds	depends on SECURITY_SELINUX
151da177e4SLinus Torvalds	default n
161da177e4SLinus Torvalds	help
171da177e4SLinus Torvalds	  This option adds a kernel parameter 'selinux', which allows SELinux
181da177e4SLinus Torvalds	  to be disabled at boot.  If this option is selected, SELinux
191da177e4SLinus Torvalds	  functionality can be disabled with selinux=0 on the kernel
201da177e4SLinus Torvalds	  command line.  The purpose of this option is to allow a single
211da177e4SLinus Torvalds	  kernel image to be distributed with SELinux built in, but not
221da177e4SLinus Torvalds	  necessarily enabled.
231da177e4SLinus Torvalds
241da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
251da177e4SLinus Torvalds
261da177e4SLinus Torvaldsconfig SECURITY_SELINUX_DISABLE
271da177e4SLinus Torvalds	bool "NSA SELinux runtime disable"
281da177e4SLinus Torvalds	depends on SECURITY_SELINUX
29dd0859dcSJames Morris	select SECURITY_WRITABLE_HOOKS
301da177e4SLinus Torvalds	default n
311da177e4SLinus Torvalds	help
321da177e4SLinus Torvalds	  This option enables writing to a selinuxfs node 'disable', which
331da177e4SLinus Torvalds	  allows SELinux to be disabled at runtime prior to the policy load.
341da177e4SLinus Torvalds	  SELinux will then remain disabled until the next boot.
351da177e4SLinus Torvalds	  This option is similar to the selinux=0 boot parameter, but is to
361da177e4SLinus Torvalds	  support runtime disabling of SELinux, e.g. from /sbin/init, for
371da177e4SLinus Torvalds	  portability across platforms where boot parameters are difficult
381da177e4SLinus Torvalds	  to employ.
391da177e4SLinus Torvalds
40dd0859dcSJames Morris	  NOTE: selecting this option will disable the '__ro_after_init'
41dd0859dcSJames Morris	  kernel hardening feature for security hooks.   Please consider
42dd0859dcSJames Morris	  using the selinux=0 boot parameter instead of enabling this
43dd0859dcSJames Morris	  option.
44dd0859dcSJames Morris
4589b223bfSPaul Moore	  WARNING: this option is deprecated and will be removed in a future
4689b223bfSPaul Moore	  kernel release.
4789b223bfSPaul Moore
481da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
491da177e4SLinus Torvalds
501da177e4SLinus Torvaldsconfig SECURITY_SELINUX_DEVELOP
511da177e4SLinus Torvalds	bool "NSA SELinux Development Support"
521da177e4SLinus Torvalds	depends on SECURITY_SELINUX
531da177e4SLinus Torvalds	default y
541da177e4SLinus Torvalds	help
551da177e4SLinus Torvalds	  This enables the development support option of NSA SELinux,
561da177e4SLinus Torvalds	  which is useful for experimenting with SELinux and developing
571da177e4SLinus Torvalds	  policies.  If unsure, say Y.  With this option enabled, the
581da177e4SLinus Torvalds	  kernel will start in permissive mode (log everything, deny nothing)
591da177e4SLinus Torvalds	  unless you specify enforcing=1 on the kernel command line.  You
601da177e4SLinus Torvalds	  can interactively toggle the kernel between enforcing mode and
61*d41415ebSStephen Smalley	  permissive mode (if permitted by the policy) via
62*d41415ebSStephen Smalley	  /sys/fs/selinux/enforce.
631da177e4SLinus Torvalds
641da177e4SLinus Torvaldsconfig SECURITY_SELINUX_AVC_STATS
651da177e4SLinus Torvalds	bool "NSA SELinux AVC Statistics"
661da177e4SLinus Torvalds	depends on SECURITY_SELINUX
671da177e4SLinus Torvalds	default y
681da177e4SLinus Torvalds	help
691da177e4SLinus Torvalds	  This option collects access vector cache statistics to
70*d41415ebSStephen Smalley	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
711da177e4SLinus Torvalds	  tools such as avcstat.
721da177e4SLinus Torvalds
731da177e4SLinus Torvaldsconfig SECURITY_SELINUX_CHECKREQPROT_VALUE
741da177e4SLinus Torvalds	int "NSA SELinux checkreqprot default value"
751da177e4SLinus Torvalds	depends on SECURITY_SELINUX
761da177e4SLinus Torvalds	range 0 1
772a35d196SPaul Moore	default 0
781da177e4SLinus Torvalds	help
791da177e4SLinus Torvalds	  This option sets the default value for the 'checkreqprot' flag
801da177e4SLinus Torvalds	  that determines whether SELinux checks the protection requested
811da177e4SLinus Torvalds	  by the application or the protection that will be applied by the
821da177e4SLinus Torvalds	  kernel (including any implied execute for read-implies-exec) for
831da177e4SLinus Torvalds	  mmap and mprotect calls.  If this option is set to 0 (zero),
841da177e4SLinus Torvalds	  SELinux will default to checking the protection that will be applied
851da177e4SLinus Torvalds	  by the kernel.  If this option is set to 1 (one), SELinux will
861da177e4SLinus Torvalds	  default to checking the protection requested by the application.
871da177e4SLinus Torvalds	  The checkreqprot flag may be changed from the default via the
881da177e4SLinus Torvalds	  'checkreqprot=' boot parameter.  It may also be changed at runtime
89*d41415ebSStephen Smalley	  via /sys/fs/selinux/checkreqprot if authorized by policy.
901da177e4SLinus Torvalds
912a35d196SPaul Moore	  If you are unsure how to answer this question, answer 0.
9266f8e2f0SJeff Vander Stoep
9366f8e2f0SJeff Vander Stoepconfig SECURITY_SELINUX_SIDTAB_HASH_BITS
9466f8e2f0SJeff Vander Stoep	int "NSA SELinux sidtab hashtable size"
9566f8e2f0SJeff Vander Stoep	depends on SECURITY_SELINUX
9666f8e2f0SJeff Vander Stoep	range 8 13
9766f8e2f0SJeff Vander Stoep	default 9
9866f8e2f0SJeff Vander Stoep	help
9966f8e2f0SJeff Vander Stoep	  This option sets the number of buckets used in the sidtab hashtable
10066f8e2f0SJeff Vander Stoep	  to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
10166f8e2f0SJeff Vander Stoep	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
10266f8e2f0SJeff Vander Stoep	  chain lengths are high (e.g. > 20) then selecting a higher value here
10366f8e2f0SJeff Vander Stoep	  will ensure that lookups times are short and stable.
104d97bd23cSOndrej Mosnacek
105d97bd23cSOndrej Mosnacekconfig SECURITY_SELINUX_SID2STR_CACHE_SIZE
106d97bd23cSOndrej Mosnacek	int "NSA SELinux SID to context string translation cache size"
107d97bd23cSOndrej Mosnacek	depends on SECURITY_SELINUX
108d97bd23cSOndrej Mosnacek	default 256
109d97bd23cSOndrej Mosnacek	help
110d97bd23cSOndrej Mosnacek	  This option defines the size of the internal SID -> context string
111d97bd23cSOndrej Mosnacek	  cache, which improves the performance of context to string
112d97bd23cSOndrej Mosnacek	  conversion.  Setting this option to 0 disables the cache completely.
113d97bd23cSOndrej Mosnacek
114d97bd23cSOndrej Mosnacek	  If unsure, keep the default value.
115