Fedora kernel-2.6.17-1.2142_FC4 patched with stable patch-2.6.17.4-vs2.0.2-rc26.diff

[linux-2.6.git] / security / selinux / Kconfig

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 5a4a798..f636f53 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -1,6 +1,6 @@
 config SECURITY_SELINUX
        bool "NSA SELinux Support"
-       depends on SECURITY && NET
+       depends on SECURITY_NETWORK && AUDIT && NET && INET
        default n
        help
          This selects NSA Security-Enhanced Linux (SELinux).
@@ -34,7 +34,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
          'selinux', which allows SELinux to be disabled at boot.  If this
          option is set to 0 (zero), the SELinux kernel parameter will
          default to 0, disabling SELinux at bootup.  If this option is
-         set to 1 (one), the SELinux kernel paramater will default to 1,
+         set to 1 (one), the SELinux kernel parameter will default to 1,
          enabling SELinux at bootup.
 
          If you are unsure how to answer this question, answer 1.
@@ -67,12 +67,31 @@ config SECURITY_SELINUX_DEVELOP
          can interactively toggle the kernel between enforcing mode and
          permissive mode (if permitted by the policy) via /selinux/enforce.
 
-config SECURITY_SELINUX_MLS
-       bool "NSA SELinux MLS policy (EXPERIMENTAL)"
-       depends on SECURITY_SELINUX && EXPERIMENTAL
-       default n
+config SECURITY_SELINUX_AVC_STATS
+       bool "NSA SELinux AVC Statistics"
+       depends on SECURITY_SELINUX
+       default y
+       help
+         This option collects access vector cache statistics to
+         /selinux/avc/cache_stats, which may be monitored via
+         tools such as avcstat.
+
+config SECURITY_SELINUX_CHECKREQPROT_VALUE
+       int "NSA SELinux checkreqprot default value"
+       depends on SECURITY_SELINUX
+       range 0 1
+       default 1
        help
-         This enables the NSA SELinux Multi-Level Security (MLS) policy in
-         addition to the default RBAC/TE policy.  This policy is
-         experimental and has not been configured for use.  Unless you
-         specifically want to experiment with MLS, say N.
+         This option sets the default value for the 'checkreqprot' flag
+         that determines whether SELinux checks the protection requested
+         by the application or the protection that will be applied by the
+         kernel (including any implied execute for read-implies-exec) for
+         mmap and mprotect calls.  If this option is set to 0 (zero),
+         SELinux will default to checking the protection that will be applied
+         by the kernel.  If this option is set to 1 (one), SELinux will
+         default to checking the protection requested by the application.
+         The checkreqprot flag may be changed from the default via the
+         'checkreqprot=' boot parameter.  It may also be changed at runtime
+         via /selinux/checkreqprot if authorized by policy.
+
+         If you are unsure how to answer this question, answer 1.