config SECURITY_SELINUX
bool "NSA SELinux Support"
- depends on SECURITY
+ depends on SECURITY_NETWORK && AUDIT && NET && INET
default n
help
This selects NSA Security-Enhanced Linux (SELinux).
If you are unsure how to answer this question, answer N.
+config SECURITY_SELINUX_BOOTPARAM_VALUE
+ int "NSA SELinux boot parameter default value"
+ depends on SECURITY_SELINUX_BOOTPARAM
+ range 0 1
+ default 1
+ help
+ This option sets the default value for the kernel parameter
+ 'selinux', which allows SELinux to be disabled at boot. If this
+ option is set to 0 (zero), the SELinux kernel parameter will
+ default to 0, disabling SELinux at bootup. If this option is
+ set to 1 (one), the SELinux kernel parameter will default to 1,
+ enabling SELinux at bootup.
+
+ If you are unsure how to answer this question, answer 1.
+
config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX
can interactively toggle the kernel between enforcing mode and
permissive mode (if permitted by the policy) via /selinux/enforce.
-config SECURITY_SELINUX_MLS
- bool "NSA SELinux MLS policy (EXPERIMENTAL)"
- depends on SECURITY_SELINUX && EXPERIMENTAL
- default n
+config SECURITY_SELINUX_AVC_STATS
+ bool "NSA SELinux AVC Statistics"
+ depends on SECURITY_SELINUX
+ default y
help
- This enables the NSA SELinux Multi-Level Security (MLS) policy in
- addition to the default RBAC/TE policy. This policy is
- experimental and has not been configured for use. Unless you
- specifically want to experiment with MLS, say N.
+ This option collects access vector cache statistics to
+ /selinux/avc/cache_stats, which may be monitored via
+ tools such as avcstat.
+
+config SECURITY_SELINUX_CHECKREQPROT_VALUE
+ int "NSA SELinux checkreqprot default value"
+ depends on SECURITY_SELINUX
+ range 0 1
+ default 1
+ help
+ This option sets the default value for the 'checkreqprot' flag
+ that determines whether SELinux checks the protection requested
+ by the application or the protection that will be applied by the
+ kernel (including any implied execute for read-implies-exec) for
+ mmap and mprotect calls. If this option is set to 0 (zero),
+ SELinux will default to checking the protection that will be applied
+ by the kernel. If this option is set to 1 (one), SELinux will
+ default to checking the protection requested by the application.
+ The checkreqprot flag may be changed from the default via the
+ 'checkreqprot=' boot parameter. It may also be changed at runtime
+ via /selinux/checkreqprot if authorized by policy.
+
+ If you are unsure how to answer this question, answer 1.