^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) # SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) config SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) bool "NSA SELinux Support"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) depends on SECURITY_NETWORK && AUDIT && NET && INET
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) select NETWORK_SECMARK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) This selects NSA Security-Enhanced Linux (SELinux).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) You will also need a policy configuration and a labeled filesystem.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) If you are unsure how to answer this question, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) config SECURITY_SELINUX_BOOTPARAM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) bool "NSA SELinux boot parameter"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) depends on SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) This option adds a kernel parameter 'selinux', which allows SELinux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) to be disabled at boot. If this option is selected, SELinux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) functionality can be disabled with selinux=0 on the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) command line. The purpose of this option is to allow a single
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) kernel image to be distributed with SELinux built in, but not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) necessarily enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) If you are unsure how to answer this question, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) config SECURITY_SELINUX_DISABLE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) bool "NSA SELinux runtime disable"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) depends on SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) select SECURITY_WRITABLE_HOOKS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) This option enables writing to a selinuxfs node 'disable', which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) allows SELinux to be disabled at runtime prior to the policy load.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) SELinux will then remain disabled until the next boot.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) This option is similar to the selinux=0 boot parameter, but is to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) support runtime disabling of SELinux, e.g. from /sbin/init, for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) portability across platforms where boot parameters are difficult
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) to employ.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) NOTE: selecting this option will disable the '__ro_after_init'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) kernel hardening feature for security hooks. Please consider
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) using the selinux=0 boot parameter instead of enabling this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) WARNING: this option is deprecated and will be removed in a future
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) kernel release.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) If you are unsure how to answer this question, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) config SECURITY_SELINUX_DEVELOP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) bool "NSA SELinux Development Support"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) depends on SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) This enables the development support option of NSA SELinux,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) which is useful for experimenting with SELinux and developing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) policies. If unsure, say Y. With this option enabled, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) kernel will start in permissive mode (log everything, deny nothing)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) unless you specify enforcing=1 on the kernel command line. You
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) can interactively toggle the kernel between enforcing mode and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) permissive mode (if permitted by the policy) via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) /sys/fs/selinux/enforce.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) config SECURITY_SELINUX_AVC_STATS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) bool "NSA SELinux AVC Statistics"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) depends on SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) This option collects access vector cache statistics to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) /sys/fs/selinux/avc/cache_stats, which may be monitored via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) tools such as avcstat.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) config SECURITY_SELINUX_CHECKREQPROT_VALUE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) int "NSA SELinux checkreqprot default value"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) depends on SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) range 0 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) default 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) This option sets the default value for the 'checkreqprot' flag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) that determines whether SELinux checks the protection requested
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) by the application or the protection that will be applied by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) kernel (including any implied execute for read-implies-exec) for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) mmap and mprotect calls. If this option is set to 0 (zero),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) SELinux will default to checking the protection that will be applied
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) by the kernel. If this option is set to 1 (one), SELinux will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) default to checking the protection requested by the application.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) The checkreqprot flag may be changed from the default via the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) 'checkreqprot=' boot parameter. It may also be changed at runtime
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) via /sys/fs/selinux/checkreqprot if authorized by policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) WARNING: this option is deprecated and will be removed in a future
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) kernel release.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) If you are unsure how to answer this question, answer 0.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) config SECURITY_SELINUX_SIDTAB_HASH_BITS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) int "NSA SELinux sidtab hashtable size"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) depends on SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) range 8 13
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) default 9
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) This option sets the number of buckets used in the sidtab hashtable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) chain lengths are high (e.g. > 20) then selecting a higher value here
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) will ensure that lookups times are short and stable.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) config SECURITY_SELINUX_SID2STR_CACHE_SIZE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) int "NSA SELinux SID to context string translation cache size"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) depends on SECURITY_SELINUX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) default 256
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) This option defines the size of the internal SID -> context string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) cache, which improves the performance of context to string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) conversion. Setting this option to 0 disables the cache completely.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) If unsure, keep the default value.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags