+config SECURITY_SELINUX_AVC_STATS
+ bool "NSA SELinux AVC Statistics"
+ depends on SECURITY_SELINUX
+ default y
+ help
+ This option collects access vector cache statistics to
+ /selinux/avc/cache_stats, which may be monitored via
+ tools such as avcstat.
+
+config SECURITY_SELINUX_CHECKREQPROT_VALUE
+ int "NSA SELinux checkreqprot default value"
+ depends on SECURITY_SELINUX
+ range 0 1
+ default 1
+ help
+ This option sets the default value for the 'checkreqprot' flag
+ that determines whether SELinux checks the protection requested
+ by the application or the protection that will be applied by the
+ kernel (including any implied execute for read-implies-exec) for
+ mmap and mprotect calls. If this option is set to 0 (zero),
+ SELinux will default to checking the protection that will be applied
+ by the kernel. If this option is set to 1 (one), SELinux will
+ default to checking the protection requested by the application.
+ The checkreqprot flag may be changed from the default via the
+ 'checkreqprot=' boot parameter. It may also be changed at runtime
+ via /selinux/checkreqprot if authorized by policy.
+
+ If you are unsure how to answer this question, answer 1.
+
+config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
+ bool "NSA SELinux enable new secmark network controls by default"
+ depends on SECURITY_SELINUX
+ default n
+ help
+ This option determines whether the new secmark-based network
+ controls will be enabled by default. If not, the old internal
+ per-packet controls will be enabled by default, preserving
+ old behavior.
+
+ If you enable the new controls, you will need updated
+ SELinux userspace libraries, tools and policy. Typically,
+ your distribution will provide these and enable the new controls
+ in the kernel they also distribute.
+
+ Note that this option can be overridden at boot with the
+ selinux_compat_net parameter, and after boot via
+ /selinux/compat_net. See Documentation/kernel-parameters.txt
+ for details on this parameter.
+
+ If you enable the new network controls, you will likely
+ also require the SECMARK and CONNSECMARK targets, as
+ well as any conntrack helpers for protocols which you
+ wish to control.
+
+ If you are unsure what to do here, select N.
+
+config SECURITY_SELINUX_POLICYDB_VERSION_MAX
+ bool "NSA SELinux maximum supported policy format version"
+ depends on SECURITY_SELINUX