summaryrefslogtreecommitdiffstats
path: root/security/selinux/Kconfig
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/Kconfig')
-rw-r--r--security/selinux/Kconfig79
1 files changed, 79 insertions, 0 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
new file mode 100644
index 0000000000..d30348fbe0
--- /dev/null
+++ b/security/selinux/Kconfig
@@ -0,0 +1,79 @@
+# SPDX-License-Identifier: GPL-2.0-only
+config SECURITY_SELINUX
+ bool "SELinux Support"
+ depends on SECURITY_NETWORK && AUDIT && NET && INET
+ select NETWORK_SECMARK
+ default n
+ help
+ This selects Security-Enhanced Linux (SELinux).
+ You will also need a policy configuration and a labeled filesystem.
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_SELINUX_BOOTPARAM
+ bool "SELinux boot parameter"
+ depends on SECURITY_SELINUX
+ default n
+ help
+ This option adds a kernel parameter 'selinux', which allows SELinux
+ to be disabled at boot. If this option is selected, SELinux
+ functionality can be disabled with selinux=0 on the kernel
+ command line. The purpose of this option is to allow a single
+ kernel image to be distributed with SELinux built in, but not
+ necessarily enabled.
+
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_SELINUX_DEVELOP
+ bool "SELinux Development Support"
+ depends on SECURITY_SELINUX
+ default y
+ help
+ This enables the development support option of SELinux,
+ which is useful for experimenting with SELinux and developing
+ policies. If unsure, say Y. With this option enabled, the
+ kernel will start in permissive mode (log everything, deny nothing)
+ unless you specify enforcing=1 on the kernel command line. You
+ can interactively toggle the kernel between enforcing mode and
+ permissive mode (if permitted by the policy) via
+ /sys/fs/selinux/enforce.
+
+config SECURITY_SELINUX_AVC_STATS
+ bool "SELinux AVC Statistics"
+ depends on SECURITY_SELINUX
+ default y
+ help
+ This option collects access vector cache statistics to
+ /sys/fs/selinux/avc/cache_stats, which may be monitored via
+ tools such as avcstat.
+
+config SECURITY_SELINUX_SIDTAB_HASH_BITS
+ int "SELinux sidtab hashtable size"
+ depends on SECURITY_SELINUX
+ range 8 13
+ default 9
+ help
+ This option sets the number of buckets used in the sidtab hashtable
+ to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
+ collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
+ chain lengths are high (e.g. > 20) then selecting a higher value here
+ will ensure that lookups times are short and stable.
+
+config SECURITY_SELINUX_SID2STR_CACHE_SIZE
+ int "SELinux SID to context string translation cache size"
+ depends on SECURITY_SELINUX
+ default 256
+ help
+ This option defines the size of the internal SID -> context string
+ cache, which improves the performance of context to string
+ conversion. Setting this option to 0 disables the cache completely.
+
+ If unsure, keep the default value.
+
+config SECURITY_SELINUX_DEBUG
+ bool "SELinux kernel debugging support"
+ depends on SECURITY_SELINUX
+ default n
+ help
+ This enables debugging code designed to help SELinux kernel
+ developers, unless you know what this does in the kernel code you
+ should leave this disabled.