From ba9b6702aa3e95fa5a3a8aaa9e95c2d1e073f2f2 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Fri, 16 Oct 2020 14:27:34 +0100 Subject: [PATCH] config: clean up SELinux options In order to make it easier for users to build with SELinux, have a single option in 'Global build settings' to enable all necessary kernel features, userland packages and build-system hooks. Also add better descriptions and help messages while at it. Signed-off-by: Daniel Golle --- config/Config-build.in | 24 +++++++++++++++++++++--- config/Config-kernel.in | 2 ++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/config/Config-build.in b/config/Config-build.in index 37cc3d7e5a..8e12199cbd 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -329,27 +329,45 @@ menu "Global build settings" endchoice config TARGET_ROOTFS_SECURITY_LABELS - bool "Enable rootfs security labels" + bool select KERNEL_SQUASHFS_XATTR select KERNEL_EXT4_FS_SECURITY select KERNEL_F2FS_FS_SECURITY select KERNEL_UBIFS_FS_SECURITY select KERNEL_JFFS2_FS_SECURITY + + config SELINUX + bool "Enable SELinux" + select KERNEL_SECURITY_SELINUX + select TARGET_ROOTFS_SECURITY_LABELS + select PACKAGE_procd-selinux + select PACKAGE_busybox-selinux help - This option enables the usage of SELinux labels + This option enables SELinux kernel features, applies security labels + in squashfs rootfs and selects the selinux-variants of busybox and procd. + + Selecting this option results in about 0.5MiB of additional flash space + usage accounting for increased kernel and rootfs size. choice prompt "default SELinux type" depends on TARGET_ROOTFS_SECURITY_LABELS default SELINUXTYPE_dssp help - Choose SELinux policy to be used for build. + Select SELinux policy to be installed and used for applying rootfs labels. + config SELINUXTYPE_targeted bool "targeted" select PACKAGE_refpolicy + help + SELinux Reference Policy (refpolicy) + config SELINUXTYPE_dssp bool "dssp" select PACKAGE_selinux-policy + help + Defensec SELinux Security Policy -- OpenWrt edition + endchoice endmenu diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 32383dadab..dcf6df97ad 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -1124,6 +1124,7 @@ config KERNEL_SECURITY_SELINUX config KERNEL_SECURITY_SELINUX_BOOTPARAM bool "NSA SELinux boot parameter" depends on KERNEL_SECURITY_SELINUX + default y config KERNEL_SECURITY_SELINUX_DISABLE bool "NSA SELinux runtime disable" @@ -1132,6 +1133,7 @@ config KERNEL_SECURITY_SELINUX_DISABLE config KERNEL_SECURITY_SELINUX_DEVELOP bool "NSA SELinux Development Support" depends on KERNEL_SECURITY_SELINUX + default y config KERNEL_LSM string