xref: /linux/security/selinux/Kconfig (revision d97bd23c2d7d866e99eb3a927c742715c85a90ef) 
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
21da177e4SLinus Torvaldsconfig SECURITY_SELINUX
31da177e4SLinus Torvalds	bool "NSA SELinux Support"
499f6d61bSStephen Smalley	depends on SECURITY_NETWORK && AUDIT && NET && INET
54e5ab4cbSJames Morris	select NETWORK_SECMARK
61da177e4SLinus Torvalds	default n
71da177e4SLinus Torvalds	help
81da177e4SLinus Torvalds	  This selects NSA Security-Enhanced Linux (SELinux).
91da177e4SLinus Torvalds	  You will also need a policy configuration and a labeled filesystem.
101da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
111da177e4SLinus Torvalds
121da177e4SLinus Torvaldsconfig SECURITY_SELINUX_BOOTPARAM
131da177e4SLinus Torvalds	bool "NSA SELinux boot parameter"
141da177e4SLinus Torvalds	depends on SECURITY_SELINUX
151da177e4SLinus Torvalds	default n
161da177e4SLinus Torvalds	help
171da177e4SLinus Torvalds	  This option adds a kernel parameter 'selinux', which allows SELinux
181da177e4SLinus Torvalds	  to be disabled at boot.  If this option is selected, SELinux
191da177e4SLinus Torvalds	  functionality can be disabled with selinux=0 on the kernel
201da177e4SLinus Torvalds	  command line.  The purpose of this option is to allow a single
211da177e4SLinus Torvalds	  kernel image to be distributed with SELinux built in, but not
221da177e4SLinus Torvalds	  necessarily enabled.
231da177e4SLinus Torvalds
241da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
251da177e4SLinus Torvalds
261da177e4SLinus Torvaldsconfig SECURITY_SELINUX_DISABLE
271da177e4SLinus Torvalds	bool "NSA SELinux runtime disable"
281da177e4SLinus Torvalds	depends on SECURITY_SELINUX
29dd0859dcSJames Morris	select SECURITY_WRITABLE_HOOKS
301da177e4SLinus Torvalds	default n
311da177e4SLinus Torvalds	help
321da177e4SLinus Torvalds	  This option enables writing to a selinuxfs node 'disable', which
331da177e4SLinus Torvalds	  allows SELinux to be disabled at runtime prior to the policy load.
341da177e4SLinus Torvalds	  SELinux will then remain disabled until the next boot.
351da177e4SLinus Torvalds	  This option is similar to the selinux=0 boot parameter, but is to
361da177e4SLinus Torvalds	  support runtime disabling of SELinux, e.g. from /sbin/init, for
371da177e4SLinus Torvalds	  portability across platforms where boot parameters are difficult
381da177e4SLinus Torvalds	  to employ.
391da177e4SLinus Torvalds
40dd0859dcSJames Morris	  NOTE: selecting this option will disable the '__ro_after_init'
41dd0859dcSJames Morris	  kernel hardening feature for security hooks.   Please consider
42dd0859dcSJames Morris	  using the selinux=0 boot parameter instead of enabling this
43dd0859dcSJames Morris	  option.
44dd0859dcSJames Morris
451da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
461da177e4SLinus Torvalds
471da177e4SLinus Torvaldsconfig SECURITY_SELINUX_DEVELOP
481da177e4SLinus Torvalds	bool "NSA SELinux Development Support"
491da177e4SLinus Torvalds	depends on SECURITY_SELINUX
501da177e4SLinus Torvalds	default y
511da177e4SLinus Torvalds	help
521da177e4SLinus Torvalds	  This enables the development support option of NSA SELinux,
531da177e4SLinus Torvalds	  which is useful for experimenting with SELinux and developing
541da177e4SLinus Torvalds	  policies.  If unsure, say Y.  With this option enabled, the
551da177e4SLinus Torvalds	  kernel will start in permissive mode (log everything, deny nothing)
561da177e4SLinus Torvalds	  unless you specify enforcing=1 on the kernel command line.  You
571da177e4SLinus Torvalds	  can interactively toggle the kernel between enforcing mode and
581da177e4SLinus Torvalds	  permissive mode (if permitted by the policy) via /selinux/enforce.
591da177e4SLinus Torvalds
601da177e4SLinus Torvaldsconfig SECURITY_SELINUX_AVC_STATS
611da177e4SLinus Torvalds	bool "NSA SELinux AVC Statistics"
621da177e4SLinus Torvalds	depends on SECURITY_SELINUX
631da177e4SLinus Torvalds	default y
641da177e4SLinus Torvalds	help
651da177e4SLinus Torvalds	  This option collects access vector cache statistics to
661da177e4SLinus Torvalds	  /selinux/avc/cache_stats, which may be monitored via
671da177e4SLinus Torvalds	  tools such as avcstat.
681da177e4SLinus Torvalds
691da177e4SLinus Torvaldsconfig SECURITY_SELINUX_CHECKREQPROT_VALUE
701da177e4SLinus Torvalds	int "NSA SELinux checkreqprot default value"
711da177e4SLinus Torvalds	depends on SECURITY_SELINUX
721da177e4SLinus Torvalds	range 0 1
732a35d196SPaul Moore	default 0
741da177e4SLinus Torvalds	help
751da177e4SLinus Torvalds	  This option sets the default value for the 'checkreqprot' flag
761da177e4SLinus Torvalds	  that determines whether SELinux checks the protection requested
771da177e4SLinus Torvalds	  by the application or the protection that will be applied by the
781da177e4SLinus Torvalds	  kernel (including any implied execute for read-implies-exec) for
791da177e4SLinus Torvalds	  mmap and mprotect calls.  If this option is set to 0 (zero),
801da177e4SLinus Torvalds	  SELinux will default to checking the protection that will be applied
811da177e4SLinus Torvalds	  by the kernel.  If this option is set to 1 (one), SELinux will
821da177e4SLinus Torvalds	  default to checking the protection requested by the application.
831da177e4SLinus Torvalds	  The checkreqprot flag may be changed from the default via the
841da177e4SLinus Torvalds	  'checkreqprot=' boot parameter.  It may also be changed at runtime
851da177e4SLinus Torvalds	  via /selinux/checkreqprot if authorized by policy.
861da177e4SLinus Torvalds
872a35d196SPaul Moore	  If you are unsure how to answer this question, answer 0.
8866f8e2f0SJeff Vander Stoep
8966f8e2f0SJeff Vander Stoepconfig SECURITY_SELINUX_SIDTAB_HASH_BITS
9066f8e2f0SJeff Vander Stoep	int "NSA SELinux sidtab hashtable size"
9166f8e2f0SJeff Vander Stoep	depends on SECURITY_SELINUX
9266f8e2f0SJeff Vander Stoep	range 8 13
9366f8e2f0SJeff Vander Stoep	default 9
9466f8e2f0SJeff Vander Stoep	help
9566f8e2f0SJeff Vander Stoep	  This option sets the number of buckets used in the sidtab hashtable
9666f8e2f0SJeff Vander Stoep	  to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
9766f8e2f0SJeff Vander Stoep	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
9866f8e2f0SJeff Vander Stoep	  chain lengths are high (e.g. > 20) then selecting a higher value here
9966f8e2f0SJeff Vander Stoep	  will ensure that lookups times are short and stable.
100*d97bd23cSOndrej Mosnacek
101*d97bd23cSOndrej Mosnacekconfig SECURITY_SELINUX_SID2STR_CACHE_SIZE
102*d97bd23cSOndrej Mosnacek	int "NSA SELinux SID to context string translation cache size"
103*d97bd23cSOndrej Mosnacek	depends on SECURITY_SELINUX
104*d97bd23cSOndrej Mosnacek	default 256
105*d97bd23cSOndrej Mosnacek	help
106*d97bd23cSOndrej Mosnacek	  This option defines the size of the internal SID -> context string
107*d97bd23cSOndrej Mosnacek	  cache, which improves the performance of context to string
108*d97bd23cSOndrej Mosnacek	  conversion.  Setting this option to 0 disables the cache completely.
109*d97bd23cSOndrej Mosnacek
110*d97bd23cSOndrej Mosnacek	  If unsure, keep the default value.
111