change system file

hc

2024-10-09 244b2c5ca8b14627e4a17755e5922221e121c771

 kernel/security/selinux/Kconfig
..
..
@@ -1,3 +1,4 @@
1
+# SPDX-License-Identifier: GPL-2.0-only
1
2
 config SECURITY_SELINUX
2
3
 	bool "NSA SELinux Support"
3
4
 	depends on SECURITY_NETWORK && AUDIT && NET && INET
..
..
@@ -22,21 +23,6 @@
22
23
 
23
24
 	  If you are unsure how to answer this question, answer N.
24
25
 
25
-config SECURITY_SELINUX_BOOTPARAM_VALUE
26
-	int "NSA SELinux boot parameter default value"
27
-	depends on SECURITY_SELINUX_BOOTPARAM
28
-	range 0 1
29
-	default 1
30
-	help
31
-	  This option sets the default value for the kernel parameter
32
-	  'selinux', which allows SELinux to be disabled at boot.  If this
33
-	  option is set to 0 (zero), the SELinux kernel parameter will
34
-	  default to 0, disabling SELinux at bootup.  If this option is
35
-	  set to 1 (one), the SELinux kernel parameter will default to 1,
36
-	  enabling SELinux at bootup.
37
-
38
-	  If you are unsure how to answer this question, answer 1.
39
-
40
26
 config SECURITY_SELINUX_DISABLE
41
27
 	bool "NSA SELinux runtime disable"
42
28
 	depends on SECURITY_SELINUX
..
..
@@ -56,6 +42,9 @@
56
42
 	  using the selinux=0 boot parameter instead of enabling this
57
43
 	  option.
58
44
 
45
+	  WARNING: this option is deprecated and will be removed in a future
46
+	  kernel release.
47
+
59
48
 	  If you are unsure how to answer this question, answer N.
60
49
 
61
50
 config SECURITY_SELINUX_DEVELOP
..
..
@@ -69,7 +58,8 @@
69
58
 	  kernel will start in permissive mode (log everything, deny nothing)
70
59
 	  unless you specify enforcing=1 on the kernel command line.  You
71
60
 	  can interactively toggle the kernel between enforcing mode and
72
-	  permissive mode (if permitted by the policy) via /selinux/enforce.
61
+	  permissive mode (if permitted by the policy) via
62
+	  /sys/fs/selinux/enforce.
73
63
 
74
64
 config SECURITY_SELINUX_AVC_STATS
75
65
 	bool "NSA SELinux AVC Statistics"
..
..
@@ -77,7 +67,7 @@
77
67
 	default y
78
68
 	help
79
69
 	  This option collects access vector cache statistics to
80
-	  /selinux/avc/cache_stats, which may be monitored via
70
+	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
81
71
 	  tools such as avcstat.
82
72
 
83
73
 config SECURITY_SELINUX_CHECKREQPROT_VALUE
..
..
@@ -96,7 +86,10 @@
96
86
 	  default to checking the protection requested by the application.
97
87
 	  The checkreqprot flag may be changed from the default via the
98
88
 	  'checkreqprot=' boot parameter.  It may also be changed at runtime
99
-	  via /selinux/checkreqprot if authorized by policy.
89
+	  via /sys/fs/selinux/checkreqprot if authorized by policy.
90
+
91
+	  WARNING: this option is deprecated and will be removed in a future
92
+	  kernel release.
100
93
 
101
94
 	  If you are unsure how to answer this question, answer 0.
102
95
 
..
..
@@ -111,3 +104,14 @@
111
104
 	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
112
105
 	  chain lengths are high (e.g. > 20) then selecting a higher value here
113
106
 	  will ensure that lookups times are short and stable.
107
+
108
+config SECURITY_SELINUX_SID2STR_CACHE_SIZE
109
+	int "NSA SELinux SID to context string translation cache size"
110
+	depends on SECURITY_SELINUX
111
+	default 256
112
+	help
113
+	  This option defines the size of the internal SID -> context string
114
+	  cache, which improves the performance of context to string
115
+	  conversion.  Setting this option to 0 disables the cache completely.
116
+
117
+	  If unsure, keep the default value.