mirror of
https://github.com/torvalds/linux.git
synced 2024-11-26 06:02:05 +00:00
6f594f5a3d
If the SELinux debug configuration is enabled define the macro DEBUG such that pr_debug() calls are always enabled, regardless of CONFIG_DYNAMIC_DEBUG, since those message are the main reason for this configuration in the first place. Mention example usage in case CONFIG_DYNAMIC_DEBUG is enabled in the help section of the configuration. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
90 lines
3.1 KiB
Plaintext
90 lines
3.1 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
config SECURITY_SELINUX
|
|
bool "SELinux Support"
|
|
depends on SECURITY_NETWORK && AUDIT && NET && INET
|
|
select NETWORK_SECMARK
|
|
default n
|
|
help
|
|
This selects Security-Enhanced Linux (SELinux).
|
|
You will also need a policy configuration and a labeled filesystem.
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SELINUX_BOOTPARAM
|
|
bool "SELinux boot parameter"
|
|
depends on SECURITY_SELINUX
|
|
default n
|
|
help
|
|
This option adds a kernel parameter 'selinux', which allows SELinux
|
|
to be disabled at boot. If this option is selected, SELinux
|
|
functionality can be disabled with selinux=0 on the kernel
|
|
command line. The purpose of this option is to allow a single
|
|
kernel image to be distributed with SELinux built in, but not
|
|
necessarily enabled.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SELINUX_DEVELOP
|
|
bool "SELinux Development Support"
|
|
depends on SECURITY_SELINUX
|
|
default y
|
|
help
|
|
This enables the development support option of SELinux,
|
|
which is useful for experimenting with SELinux and developing
|
|
policies. If unsure, say Y. With this option enabled, the
|
|
kernel will start in permissive mode (log everything, deny nothing)
|
|
unless you specify enforcing=1 on the kernel command line. You
|
|
can interactively toggle the kernel between enforcing mode and
|
|
permissive mode (if permitted by the policy) via
|
|
/sys/fs/selinux/enforce.
|
|
|
|
config SECURITY_SELINUX_AVC_STATS
|
|
bool "SELinux AVC Statistics"
|
|
depends on SECURITY_SELINUX
|
|
default y
|
|
help
|
|
This option collects access vector cache statistics to
|
|
/sys/fs/selinux/avc/cache_stats, which may be monitored via
|
|
tools such as avcstat.
|
|
|
|
config SECURITY_SELINUX_SIDTAB_HASH_BITS
|
|
int "SELinux sidtab hashtable size"
|
|
depends on SECURITY_SELINUX
|
|
range 8 13
|
|
default 9
|
|
help
|
|
This option sets the number of buckets used in the sidtab hashtable
|
|
to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
|
|
collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
|
|
chain lengths are high (e.g. > 20) then selecting a higher value here
|
|
will ensure that lookups times are short and stable.
|
|
|
|
config SECURITY_SELINUX_SID2STR_CACHE_SIZE
|
|
int "SELinux SID to context string translation cache size"
|
|
depends on SECURITY_SELINUX
|
|
default 256
|
|
help
|
|
This option defines the size of the internal SID -> context string
|
|
cache, which improves the performance of context to string
|
|
conversion. Setting this option to 0 disables the cache completely.
|
|
|
|
If unsure, keep the default value.
|
|
|
|
config SECURITY_SELINUX_DEBUG
|
|
bool "SELinux kernel debugging support"
|
|
depends on SECURITY_SELINUX
|
|
default n
|
|
help
|
|
This enables debugging code designed to help SELinux kernel
|
|
developers, unless you know what this does in the kernel code you
|
|
should leave this disabled.
|
|
|
|
To fine control the messages to be printed enable
|
|
CONFIG_DYNAMIC_DEBUG and see
|
|
Documentation/admin-guide/dynamic-debug-howto.rst for additional
|
|
information.
|
|
|
|
Example usage:
|
|
|
|
echo -n 'file "security/selinux/*" +p' > \
|
|
/proc/dynamic_debug/control
|