From ba9b6702aa3e95fa5a3a8aaa9e95c2d1e073f2f2 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Fri, 16 Oct 2020 14:27:34 +0100 Subject: config: clean up SELinux options In order to make it easier for users to build with SELinux, have a single option in 'Global build settings' to enable all necessary kernel features, userland packages and build-system hooks. Also add better descriptions and help messages while at it. Signed-off-by: Daniel Golle --- config/Config-build.in | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'config/Config-build.in') diff --git a/config/Config-build.in b/config/Config-build.in index 37cc3d7e5a..8e12199cbd 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -329,27 +329,45 @@ menu "Global build settings" endchoice config TARGET_ROOTFS_SECURITY_LABELS - bool "Enable rootfs security labels" + bool select KERNEL_SQUASHFS_XATTR select KERNEL_EXT4_FS_SECURITY select KERNEL_F2FS_FS_SECURITY select KERNEL_UBIFS_FS_SECURITY select KERNEL_JFFS2_FS_SECURITY + + config SELINUX + bool "Enable SELinux" + select KERNEL_SECURITY_SELINUX + select TARGET_ROOTFS_SECURITY_LABELS + select PACKAGE_procd-selinux + select PACKAGE_busybox-selinux help - This option enables the usage of SELinux labels + This option enables SELinux kernel features, applies security labels + in squashfs rootfs and selects the selinux-variants of busybox and procd. + + Selecting this option results in about 0.5MiB of additional flash space + usage accounting for increased kernel and rootfs size. choice prompt "default SELinux type" depends on TARGET_ROOTFS_SECURITY_LABELS default SELINUXTYPE_dssp help - Choose SELinux policy to be used for build. + Select SELinux policy to be installed and used for applying rootfs labels. + config SELINUXTYPE_targeted bool "targeted" select PACKAGE_refpolicy + help + SELinux Reference Policy (refpolicy) + config SELINUXTYPE_dssp bool "dssp" select PACKAGE_selinux-policy + help + Defensec SELinux Security Policy -- OpenWrt edition + endchoice endmenu -- cgit v1.2.3