162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
262306a36Sopenharmony_ciconfig SECURITY_SELINUX
362306a36Sopenharmony_ci	bool "SELinux Support"
462306a36Sopenharmony_ci	depends on SECURITY_NETWORK && AUDIT && NET && INET
562306a36Sopenharmony_ci	select NETWORK_SECMARK
662306a36Sopenharmony_ci	default n
762306a36Sopenharmony_ci	help
862306a36Sopenharmony_ci	  This selects Security-Enhanced Linux (SELinux).
962306a36Sopenharmony_ci	  You will also need a policy configuration and a labeled filesystem.
1062306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
1162306a36Sopenharmony_ci
1262306a36Sopenharmony_ciconfig SECURITY_SELINUX_BOOTPARAM
1362306a36Sopenharmony_ci	bool "SELinux boot parameter"
1462306a36Sopenharmony_ci	depends on SECURITY_SELINUX
1562306a36Sopenharmony_ci	default n
1662306a36Sopenharmony_ci	help
1762306a36Sopenharmony_ci	  This option adds a kernel parameter 'selinux', which allows SELinux
1862306a36Sopenharmony_ci	  to be disabled at boot.  If this option is selected, SELinux
1962306a36Sopenharmony_ci	  functionality can be disabled with selinux=0 on the kernel
2062306a36Sopenharmony_ci	  command line.  The purpose of this option is to allow a single
2162306a36Sopenharmony_ci	  kernel image to be distributed with SELinux built in, but not
2262306a36Sopenharmony_ci	  necessarily enabled.
2362306a36Sopenharmony_ci
2462306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
2562306a36Sopenharmony_ci
2662306a36Sopenharmony_ciconfig SECURITY_SELINUX_DEVELOP
2762306a36Sopenharmony_ci	bool "SELinux Development Support"
2862306a36Sopenharmony_ci	depends on SECURITY_SELINUX
2962306a36Sopenharmony_ci	default y
3062306a36Sopenharmony_ci	help
3162306a36Sopenharmony_ci	  This enables the development support option of SELinux,
3262306a36Sopenharmony_ci	  which is useful for experimenting with SELinux and developing
3362306a36Sopenharmony_ci	  policies.  If unsure, say Y.  With this option enabled, the
3462306a36Sopenharmony_ci	  kernel will start in permissive mode (log everything, deny nothing)
3562306a36Sopenharmony_ci	  unless you specify enforcing=1 on the kernel command line.  You
3662306a36Sopenharmony_ci	  can interactively toggle the kernel between enforcing mode and
3762306a36Sopenharmony_ci	  permissive mode (if permitted by the policy) via
3862306a36Sopenharmony_ci	  /sys/fs/selinux/enforce.
3962306a36Sopenharmony_ci
4062306a36Sopenharmony_ciconfig SECURITY_SELINUX_AVC_STATS
4162306a36Sopenharmony_ci	bool "SELinux AVC Statistics"
4262306a36Sopenharmony_ci	depends on SECURITY_SELINUX
4362306a36Sopenharmony_ci	default y
4462306a36Sopenharmony_ci	help
4562306a36Sopenharmony_ci	  This option collects access vector cache statistics to
4662306a36Sopenharmony_ci	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
4762306a36Sopenharmony_ci	  tools such as avcstat.
4862306a36Sopenharmony_ci
4962306a36Sopenharmony_ciconfig SECURITY_SELINUX_SIDTAB_HASH_BITS
5062306a36Sopenharmony_ci	int "SELinux sidtab hashtable size"
5162306a36Sopenharmony_ci	depends on SECURITY_SELINUX
5262306a36Sopenharmony_ci	range 8 13
5362306a36Sopenharmony_ci	default 9
5462306a36Sopenharmony_ci	help
5562306a36Sopenharmony_ci	  This option sets the number of buckets used in the sidtab hashtable
5662306a36Sopenharmony_ci	  to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
5762306a36Sopenharmony_ci	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
5862306a36Sopenharmony_ci	  chain lengths are high (e.g. > 20) then selecting a higher value here
5962306a36Sopenharmony_ci	  will ensure that lookups times are short and stable.
6062306a36Sopenharmony_ci
6162306a36Sopenharmony_ciconfig SECURITY_SELINUX_SID2STR_CACHE_SIZE
6262306a36Sopenharmony_ci	int "SELinux SID to context string translation cache size"
6362306a36Sopenharmony_ci	depends on SECURITY_SELINUX
6462306a36Sopenharmony_ci	default 256
6562306a36Sopenharmony_ci	help
6662306a36Sopenharmony_ci	  This option defines the size of the internal SID -> context string
6762306a36Sopenharmony_ci	  cache, which improves the performance of context to string
6862306a36Sopenharmony_ci	  conversion.  Setting this option to 0 disables the cache completely.
6962306a36Sopenharmony_ci
7062306a36Sopenharmony_ci	  If unsure, keep the default value.
7162306a36Sopenharmony_ci
7262306a36Sopenharmony_ciconfig SECURITY_SELINUX_DEBUG
7362306a36Sopenharmony_ci	bool "SELinux kernel debugging support"
7462306a36Sopenharmony_ci	depends on SECURITY_SELINUX
7562306a36Sopenharmony_ci	default n
7662306a36Sopenharmony_ci	help
7762306a36Sopenharmony_ci	  This enables debugging code designed to help SELinux kernel
7862306a36Sopenharmony_ci	  developers, unless you know what this does in the kernel code you
7962306a36Sopenharmony_ci	  should leave this disabled.
80