config: clean up SELinux options

In order to make it easier for users to build with SELinux, have a single option in 'Global build settings' to enable all necessary kernel features, userland packages and build-system hooks. Also add better descriptions and help messages while at it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-16 14:27:34 +01:00 · 2020-10-16 14:27:34 +01:00 · ba9b6702aa
commit ba9b6702aa
parent 00c28c51fb
2 changed files with 23 additions and 3 deletions
--- a/config/Config-build.in
+++ b/config/Config-build.in
@ -329,27 +329,45 @@ menu "Global build settings"
 	endchoice

 	config TARGET_ROOTFS_SECURITY_LABELS
-		bool "Enable rootfs security labels"
+		bool
 		select KERNEL_SQUASHFS_XATTR
 		select KERNEL_EXT4_FS_SECURITY
 		select KERNEL_F2FS_FS_SECURITY
 		select KERNEL_UBIFS_FS_SECURITY
 		select KERNEL_JFFS2_FS_SECURITY
+
+	config SELINUX
+		bool "Enable SELinux"
+		select KERNEL_SECURITY_SELINUX
+		select TARGET_ROOTFS_SECURITY_LABELS
+		select PACKAGE_procd-selinux
+		select PACKAGE_busybox-selinux
 		help
-		  This option enables the usage of SELinux labels
+		  This option enables SELinux kernel features, applies security labels
+		  in squashfs rootfs and selects the selinux-variants of busybox and procd.
+
+		  Selecting this option results in about 0.5MiB of additional flash space
+		  usage accounting for increased kernel and rootfs size.

 	choice
 		prompt "default SELinux type"
 		depends on TARGET_ROOTFS_SECURITY_LABELS
 		default SELINUXTYPE_dssp
 		help
-		  Choose SELinux policy to be used for build.
+		  Select SELinux policy to be installed and used for applying rootfs labels.
+
 		config SELINUXTYPE_targeted
 			bool "targeted"
 			select PACKAGE_refpolicy
+			help
+			  SELinux Reference Policy (refpolicy)
+
 		config SELINUXTYPE_dssp
 			bool "dssp"
 			select PACKAGE_selinux-policy
+			help
+			  Defensec SELinux Security Policy -- OpenWrt edition
+
 	endchoice

 endmenu
--- a/config/Config-kernel.in
+++ b/config/Config-kernel.in
@ -1124,6 +1124,7 @@ config KERNEL_SECURITY_SELINUX
 config KERNEL_SECURITY_SELINUX_BOOTPARAM
 	bool "NSA SELinux boot parameter"
 	depends on KERNEL_SECURITY_SELINUX
+	default y

 config KERNEL_SECURITY_SELINUX_DISABLE
 	bool "NSA SELinux runtime disable"
@ -1132,6 +1133,7 @@ config KERNEL_SECURITY_SELINUX_DISABLE
 config KERNEL_SECURITY_SELINUX_DEVELOP
 	bool "NSA SELinux Development Support"
 	depends on KERNEL_SECURITY_SELINUX
+	default y

 config KERNEL_LSM
 	string