mirror of
https://github.com/torvalds/linux.git
synced 2024-12-26 12:52:30 +00:00
55a0e73806
The policy database code contains several debug output statements related to hashtable utilization. Those are guarded by the macro DEBUG_HASHES, which is neither documented nor set anywhere. Introduce a new Kconfig configuration guarding this and potential other future debugging related code. Disable the setting by default. Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Christian Göttsche <cgzones@googlemail.com> [PM: fixed line lengths in the help text] Signed-off-by: Paul Moore <paul@paul-moore.com>
80 lines
2.8 KiB
Plaintext
80 lines
2.8 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
config SECURITY_SELINUX
|
|
bool "SELinux Support"
|
|
depends on SECURITY_NETWORK && AUDIT && NET && INET
|
|
select NETWORK_SECMARK
|
|
default n
|
|
help
|
|
This selects Security-Enhanced Linux (SELinux).
|
|
You will also need a policy configuration and a labeled filesystem.
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SELINUX_BOOTPARAM
|
|
bool "SELinux boot parameter"
|
|
depends on SECURITY_SELINUX
|
|
default n
|
|
help
|
|
This option adds a kernel parameter 'selinux', which allows SELinux
|
|
to be disabled at boot. If this option is selected, SELinux
|
|
functionality can be disabled with selinux=0 on the kernel
|
|
command line. The purpose of this option is to allow a single
|
|
kernel image to be distributed with SELinux built in, but not
|
|
necessarily enabled.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SELINUX_DEVELOP
|
|
bool "SELinux Development Support"
|
|
depends on SECURITY_SELINUX
|
|
default y
|
|
help
|
|
This enables the development support option of SELinux,
|
|
which is useful for experimenting with SELinux and developing
|
|
policies. If unsure, say Y. With this option enabled, the
|
|
kernel will start in permissive mode (log everything, deny nothing)
|
|
unless you specify enforcing=1 on the kernel command line. You
|
|
can interactively toggle the kernel between enforcing mode and
|
|
permissive mode (if permitted by the policy) via
|
|
/sys/fs/selinux/enforce.
|
|
|
|
config SECURITY_SELINUX_AVC_STATS
|
|
bool "SELinux AVC Statistics"
|
|
depends on SECURITY_SELINUX
|
|
default y
|
|
help
|
|
This option collects access vector cache statistics to
|
|
/sys/fs/selinux/avc/cache_stats, which may be monitored via
|
|
tools such as avcstat.
|
|
|
|
config SECURITY_SELINUX_SIDTAB_HASH_BITS
|
|
int "SELinux sidtab hashtable size"
|
|
depends on SECURITY_SELINUX
|
|
range 8 13
|
|
default 9
|
|
help
|
|
This option sets the number of buckets used in the sidtab hashtable
|
|
to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
|
|
collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
|
|
chain lengths are high (e.g. > 20) then selecting a higher value here
|
|
will ensure that lookups times are short and stable.
|
|
|
|
config SECURITY_SELINUX_SID2STR_CACHE_SIZE
|
|
int "SELinux SID to context string translation cache size"
|
|
depends on SECURITY_SELINUX
|
|
default 256
|
|
help
|
|
This option defines the size of the internal SID -> context string
|
|
cache, which improves the performance of context to string
|
|
conversion. Setting this option to 0 disables the cache completely.
|
|
|
|
If unsure, keep the default value.
|
|
|
|
config SECURITY_SELINUX_DEBUG
|
|
bool "SELinux kernel debugging support"
|
|
depends on SECURITY_SELINUX
|
|
default n
|
|
help
|
|
This enables debugging code designed to help SELinux kernel
|
|
developers, unless you know what this does in the kernel code you
|
|
should leave this disabled.
|