diff options
| author | Daniel Golle <daniel@makrotopia.org> | 2020-10-16 14:27:34 +0100 |
|---|---|---|
| committer | Daniel Golle <daniel@makrotopia.org> | 2020-10-16 14:29:48 +0100 |
| commit | ba9b6702aa3e95fa5a3a8aaa9e95c2d1e073f2f2 (patch) | |
| tree | dab358783b69188907b95130f2913b40e4d6c11f | |
| parent | 00c28c51fb8eea4171d2aa3a43be999e9c769ce6 (diff) | |
| download | upstream-ba9b6702aa3e95fa5a3a8aaa9e95c2d1e073f2f2.tar.gz upstream-ba9b6702aa3e95fa5a3a8aaa9e95c2d1e073f2f2.tar.bz2 upstream-ba9b6702aa3e95fa5a3a8aaa9e95c2d1e073f2f2.zip | |
config: clean up SELinux options
In order to make it easier for users to build with SELinux, have a
single option in 'Global build settings' to enable all necessary
kernel features, userland packages and build-system hooks.
Also add better descriptions and help messages while at it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
| -rw-r--r-- | config/Config-build.in | 24 | ||||
| -rw-r--r-- | config/Config-kernel.in | 2 |
2 files changed, 23 insertions, 3 deletions
diff --git a/config/Config-build.in b/config/Config-build.in index 37cc3d7e5a..8e12199cbd 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -329,27 +329,45 @@ menu "Global build settings" endchoice config TARGET_ROOTFS_SECURITY_LABELS - bool "Enable rootfs security labels" + bool select KERNEL_SQUASHFS_XATTR select KERNEL_EXT4_FS_SECURITY select KERNEL_F2FS_FS_SECURITY select KERNEL_UBIFS_FS_SECURITY select KERNEL_JFFS2_FS_SECURITY + + config SELINUX + bool "Enable SELinux" + select KERNEL_SECURITY_SELINUX + select TARGET_ROOTFS_SECURITY_LABELS + select PACKAGE_procd-selinux + select PACKAGE_busybox-selinux help - This option enables the usage of SELinux labels + This option enables SELinux kernel features, applies security labels + in squashfs rootfs and selects the selinux-variants of busybox and procd. + + Selecting this option results in about 0.5MiB of additional flash space + usage accounting for increased kernel and rootfs size. choice prompt "default SELinux type" depends on TARGET_ROOTFS_SECURITY_LABELS default SELINUXTYPE_dssp help - Choose SELinux policy to be used for build. + Select SELinux policy to be installed and used for applying rootfs labels. + config SELINUXTYPE_targeted bool "targeted" select PACKAGE_refpolicy + help + SELinux Reference Policy (refpolicy) + config SELINUXTYPE_dssp bool "dssp" select PACKAGE_selinux-policy + help + Defensec SELinux Security Policy -- OpenWrt edition + endchoice endmenu diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 32383dadab..dcf6df97ad 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -1124,6 +1124,7 @@ config KERNEL_SECURITY_SELINUX config KERNEL_SECURITY_SELINUX_BOOTPARAM bool "NSA SELinux boot parameter" depends on KERNEL_SECURITY_SELINUX + default y config KERNEL_SECURITY_SELINUX_DISABLE bool "NSA SELinux runtime disable" @@ -1132,6 +1133,7 @@ config KERNEL_SECURITY_SELINUX_DISABLE config KERNEL_SECURITY_SELINUX_DEVELOP bool "NSA SELinux Development Support" depends on KERNEL_SECURITY_SELINUX + default y config KERNEL_LSM string |