config: clean up SELinux options
In order to make it easier for users to build with SELinux, have a single option in 'Global build settings' to enable all necessary kernel features, userland packages and build-system hooks. Also add better descriptions and help messages while at it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle
parent
00c28c51fb
commit
ba9b6702aa
@ -329,27 +329,45 @@ menu "Global build settings"
|
|||||||
endchoice
|
endchoice
|
||||||
|
|
||||||
config TARGET_ROOTFS_SECURITY_LABELS
|
config TARGET_ROOTFS_SECURITY_LABELS
|
||||||
bool "Enable rootfs security labels"
|
bool
|
||||||
select KERNEL_SQUASHFS_XATTR
|
select KERNEL_SQUASHFS_XATTR
|
||||||
select KERNEL_EXT4_FS_SECURITY
|
select KERNEL_EXT4_FS_SECURITY
|
||||||
select KERNEL_F2FS_FS_SECURITY
|
select KERNEL_F2FS_FS_SECURITY
|
||||||
select KERNEL_UBIFS_FS_SECURITY
|
select KERNEL_UBIFS_FS_SECURITY
|
||||||
select KERNEL_JFFS2_FS_SECURITY
|
select KERNEL_JFFS2_FS_SECURITY
|
||||||
|
|
||||||
|
config SELINUX
|
||||||
|
bool "Enable SELinux"
|
||||||
|
select KERNEL_SECURITY_SELINUX
|
||||||
|
select TARGET_ROOTFS_SECURITY_LABELS
|
||||||
|
select PACKAGE_procd-selinux
|
||||||
|
select PACKAGE_busybox-selinux
|
||||||
help
|
help
|
||||||
This option enables the usage of SELinux labels
|
This option enables SELinux kernel features, applies security labels
|
||||||
|
in squashfs rootfs and selects the selinux-variants of busybox and procd.
|
||||||
|
|
||||||
|
Selecting this option results in about 0.5MiB of additional flash space
|
||||||
|
usage accounting for increased kernel and rootfs size.
|
||||||
|
|
||||||
choice
|
choice
|
||||||
prompt "default SELinux type"
|
prompt "default SELinux type"
|
||||||
depends on TARGET_ROOTFS_SECURITY_LABELS
|
depends on TARGET_ROOTFS_SECURITY_LABELS
|
||||||
default SELINUXTYPE_dssp
|
default SELINUXTYPE_dssp
|
||||||
help
|
help
|
||||||
Choose SELinux policy to be used for build.
|
Select SELinux policy to be installed and used for applying rootfs labels.
|
||||||
|
|
||||||
config SELINUXTYPE_targeted
|
config SELINUXTYPE_targeted
|
||||||
bool "targeted"
|
bool "targeted"
|
||||||
select PACKAGE_refpolicy
|
select PACKAGE_refpolicy
|
||||||
|
help
|
||||||
|
SELinux Reference Policy (refpolicy)
|
||||||
|
|
||||||
config SELINUXTYPE_dssp
|
config SELINUXTYPE_dssp
|
||||||
bool "dssp"
|
bool "dssp"
|
||||||
select PACKAGE_selinux-policy
|
select PACKAGE_selinux-policy
|
||||||
|
help
|
||||||
|
Defensec SELinux Security Policy -- OpenWrt edition
|
||||||
|
|
||||||
endchoice
|
endchoice
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
|
|||||||
@ -1124,6 +1124,7 @@ config KERNEL_SECURITY_SELINUX
|
|||||||
config KERNEL_SECURITY_SELINUX_BOOTPARAM
|
config KERNEL_SECURITY_SELINUX_BOOTPARAM
|
||||||
bool "NSA SELinux boot parameter"
|
bool "NSA SELinux boot parameter"
|
||||||
depends on KERNEL_SECURITY_SELINUX
|
depends on KERNEL_SECURITY_SELINUX
|
||||||
|
default y
|
||||||
|
|
||||||
config KERNEL_SECURITY_SELINUX_DISABLE
|
config KERNEL_SECURITY_SELINUX_DISABLE
|
||||||
bool "NSA SELinux runtime disable"
|
bool "NSA SELinux runtime disable"
|
||||||
@ -1132,6 +1133,7 @@ config KERNEL_SECURITY_SELINUX_DISABLE
|
|||||||
config KERNEL_SECURITY_SELINUX_DEVELOP
|
config KERNEL_SECURITY_SELINUX_DEVELOP
|
||||||
bool "NSA SELinux Development Support"
|
bool "NSA SELinux Development Support"
|
||||||
depends on KERNEL_SECURITY_SELINUX
|
depends on KERNEL_SECURITY_SELINUX
|
||||||
|
default y
|
||||||
|
|
||||||
config KERNEL_LSM
|
config KERNEL_LSM
|
||||||
string
|
string
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user