18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
28c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX
38c2ecf20Sopenharmony_ci	bool "NSA SELinux Support"
48c2ecf20Sopenharmony_ci	depends on SECURITY_NETWORK && AUDIT && NET && INET
58c2ecf20Sopenharmony_ci	select NETWORK_SECMARK
68c2ecf20Sopenharmony_ci	default n
78c2ecf20Sopenharmony_ci	help
88c2ecf20Sopenharmony_ci	  This selects NSA Security-Enhanced Linux (SELinux).
98c2ecf20Sopenharmony_ci	  You will also need a policy configuration and a labeled filesystem.
108c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
118c2ecf20Sopenharmony_ci
128c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX_BOOTPARAM
138c2ecf20Sopenharmony_ci	bool "NSA SELinux boot parameter"
148c2ecf20Sopenharmony_ci	depends on SECURITY_SELINUX
158c2ecf20Sopenharmony_ci	default n
168c2ecf20Sopenharmony_ci	help
178c2ecf20Sopenharmony_ci	  This option adds a kernel parameter 'selinux', which allows SELinux
188c2ecf20Sopenharmony_ci	  to be disabled at boot.  If this option is selected, SELinux
198c2ecf20Sopenharmony_ci	  functionality can be disabled with selinux=0 on the kernel
208c2ecf20Sopenharmony_ci	  command line.  The purpose of this option is to allow a single
218c2ecf20Sopenharmony_ci	  kernel image to be distributed with SELinux built in, but not
228c2ecf20Sopenharmony_ci	  necessarily enabled.
238c2ecf20Sopenharmony_ci
248c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
258c2ecf20Sopenharmony_ci
268c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX_DISABLE
278c2ecf20Sopenharmony_ci	bool "NSA SELinux runtime disable"
288c2ecf20Sopenharmony_ci	depends on SECURITY_SELINUX
298c2ecf20Sopenharmony_ci	select SECURITY_WRITABLE_HOOKS
308c2ecf20Sopenharmony_ci	default n
318c2ecf20Sopenharmony_ci	help
328c2ecf20Sopenharmony_ci	  This option enables writing to a selinuxfs node 'disable', which
338c2ecf20Sopenharmony_ci	  allows SELinux to be disabled at runtime prior to the policy load.
348c2ecf20Sopenharmony_ci	  SELinux will then remain disabled until the next boot.
358c2ecf20Sopenharmony_ci	  This option is similar to the selinux=0 boot parameter, but is to
368c2ecf20Sopenharmony_ci	  support runtime disabling of SELinux, e.g. from /sbin/init, for
378c2ecf20Sopenharmony_ci	  portability across platforms where boot parameters are difficult
388c2ecf20Sopenharmony_ci	  to employ.
398c2ecf20Sopenharmony_ci
408c2ecf20Sopenharmony_ci	  NOTE: selecting this option will disable the '__ro_after_init'
418c2ecf20Sopenharmony_ci	  kernel hardening feature for security hooks.   Please consider
428c2ecf20Sopenharmony_ci	  using the selinux=0 boot parameter instead of enabling this
438c2ecf20Sopenharmony_ci	  option.
448c2ecf20Sopenharmony_ci
458c2ecf20Sopenharmony_ci	  WARNING: this option is deprecated and will be removed in a future
468c2ecf20Sopenharmony_ci	  kernel release.
478c2ecf20Sopenharmony_ci
488c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
498c2ecf20Sopenharmony_ci
508c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX_DEVELOP
518c2ecf20Sopenharmony_ci	bool "NSA SELinux Development Support"
528c2ecf20Sopenharmony_ci	depends on SECURITY_SELINUX
538c2ecf20Sopenharmony_ci	default y
548c2ecf20Sopenharmony_ci	help
558c2ecf20Sopenharmony_ci	  This enables the development support option of NSA SELinux,
568c2ecf20Sopenharmony_ci	  which is useful for experimenting with SELinux and developing
578c2ecf20Sopenharmony_ci	  policies.  If unsure, say Y.  With this option enabled, the
588c2ecf20Sopenharmony_ci	  kernel will start in permissive mode (log everything, deny nothing)
598c2ecf20Sopenharmony_ci	  unless you specify enforcing=1 on the kernel command line.  You
608c2ecf20Sopenharmony_ci	  can interactively toggle the kernel between enforcing mode and
618c2ecf20Sopenharmony_ci	  permissive mode (if permitted by the policy) via
628c2ecf20Sopenharmony_ci	  /sys/fs/selinux/enforce.
638c2ecf20Sopenharmony_ci
648c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX_AVC_STATS
658c2ecf20Sopenharmony_ci	bool "NSA SELinux AVC Statistics"
668c2ecf20Sopenharmony_ci	depends on SECURITY_SELINUX
678c2ecf20Sopenharmony_ci	default y
688c2ecf20Sopenharmony_ci	help
698c2ecf20Sopenharmony_ci	  This option collects access vector cache statistics to
708c2ecf20Sopenharmony_ci	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
718c2ecf20Sopenharmony_ci	  tools such as avcstat.
728c2ecf20Sopenharmony_ci
738c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX_CHECKREQPROT_VALUE
748c2ecf20Sopenharmony_ci	int "NSA SELinux checkreqprot default value"
758c2ecf20Sopenharmony_ci	depends on SECURITY_SELINUX
768c2ecf20Sopenharmony_ci	range 0 1
778c2ecf20Sopenharmony_ci	default 0
788c2ecf20Sopenharmony_ci	help
798c2ecf20Sopenharmony_ci	  This option sets the default value for the 'checkreqprot' flag
808c2ecf20Sopenharmony_ci	  that determines whether SELinux checks the protection requested
818c2ecf20Sopenharmony_ci	  by the application or the protection that will be applied by the
828c2ecf20Sopenharmony_ci	  kernel (including any implied execute for read-implies-exec) for
838c2ecf20Sopenharmony_ci	  mmap and mprotect calls.  If this option is set to 0 (zero),
848c2ecf20Sopenharmony_ci	  SELinux will default to checking the protection that will be applied
858c2ecf20Sopenharmony_ci	  by the kernel.  If this option is set to 1 (one), SELinux will
868c2ecf20Sopenharmony_ci	  default to checking the protection requested by the application.
878c2ecf20Sopenharmony_ci	  The checkreqprot flag may be changed from the default via the
888c2ecf20Sopenharmony_ci	  'checkreqprot=' boot parameter.  It may also be changed at runtime
898c2ecf20Sopenharmony_ci	  via /sys/fs/selinux/checkreqprot if authorized by policy.
908c2ecf20Sopenharmony_ci
918c2ecf20Sopenharmony_ci	  WARNING: this option is deprecated and will be removed in a future
928c2ecf20Sopenharmony_ci	  kernel release.
938c2ecf20Sopenharmony_ci
948c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer 0.
958c2ecf20Sopenharmony_ci
968c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX_SIDTAB_HASH_BITS
978c2ecf20Sopenharmony_ci	int "NSA SELinux sidtab hashtable size"
988c2ecf20Sopenharmony_ci	depends on SECURITY_SELINUX
998c2ecf20Sopenharmony_ci	range 8 13
1008c2ecf20Sopenharmony_ci	default 9
1018c2ecf20Sopenharmony_ci	help
1028c2ecf20Sopenharmony_ci	  This option sets the number of buckets used in the sidtab hashtable
1038c2ecf20Sopenharmony_ci	  to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
1048c2ecf20Sopenharmony_ci	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
1058c2ecf20Sopenharmony_ci	  chain lengths are high (e.g. > 20) then selecting a higher value here
1068c2ecf20Sopenharmony_ci	  will ensure that lookups times are short and stable.
1078c2ecf20Sopenharmony_ci
1088c2ecf20Sopenharmony_ciconfig SECURITY_SELINUX_SID2STR_CACHE_SIZE
1098c2ecf20Sopenharmony_ci	int "NSA SELinux SID to context string translation cache size"
1108c2ecf20Sopenharmony_ci	depends on SECURITY_SELINUX
1118c2ecf20Sopenharmony_ci	default 256
1128c2ecf20Sopenharmony_ci	help
1138c2ecf20Sopenharmony_ci	  This option defines the size of the internal SID -> context string
1148c2ecf20Sopenharmony_ci	  cache, which improves the performance of context to string
1158c2ecf20Sopenharmony_ci	  conversion.  Setting this option to 0 disables the cache completely.
1168c2ecf20Sopenharmony_ci
1178c2ecf20Sopenharmony_ci	  If unsure, keep the default value.
118