help
This selects NSA Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
- You can obtain the policy compiler (checkpolicy), the utility for
- labeling filesystems (setfiles), and an example policy configuration
- from <http://www.nsa.gov/selinux/>.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_BOOTPARAM
If you are unsure how to answer this question, answer 1.
-config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
- bool "NSA SELinux enable new secmark network controls by default"
+config SECURITY_SELINUX_POLICYDB_VERSION_MAX
+ bool "NSA SELinux maximum supported policy format version"
depends on SECURITY_SELINUX
default n
help
- This option determines whether the new secmark-based network
- controls will be enabled by default. If not, the old internal
- per-packet controls will be enabled by default, preserving
- old behavior.
-
- If you enable the new controls, you will need updated
- SELinux userspace libraries, tools and policy. Typically,
- your distribution will provide these and enable the new controls
- in the kernel they also distribute.
-
- Note that this option can be overriden at boot with the
- selinux_compat_net parameter, and after boot via
- /selinux/compat_net. See Documentation/kernel-parameters.txt
- for details on this parameter.
-
- If you enable the new network controls, you will likely
- also require the SECMARK and CONNSECMARK targets, as
- well as any conntrack helpers for protocols which you
- wish to control.
-
- If you are unsure what do do here, select N.
+ This option enables the maximum policy format version supported
+ by SELinux to be set to a particular value. This value is reported
+ to userspace via /selinux/policyvers and used at policy load time.
+ It can be adjusted downward to support legacy userland (init) that
+ does not correctly handle kernels that support newer policy versions.
+
+ Examples:
+ For the Fedora Core 3 or 4 Linux distributions, enable this option
+ and set the value via the next option. For Fedora Core 5 and later,
+ do not enable this option.
+
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
+ int "NSA SELinux maximum supported policy format version value"
+ depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
+ range 15 23
+ default 19
+ help
+ This option sets the value for the maximum policy format version
+ supported by SELinux.
+
+ Examples:
+ For Fedora Core 3, use 18.
+ For Fedora Core 4, use 19.
+
+ If you are unsure how to answer this question, look for the
+ policy format version supported by your policy toolchain, by
+ running 'checkpolicy -V'. Or look at what policy you have
+ installed under /etc/selinux/$SELINUXTYPE/policy, where
+ SELINUXTYPE is defined in your /etc/selinux/config.
git://ftp.safe.ca / safe / jmp / linux-2.6 / blobdiff