1 files changed, 29 insertions, 0 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index f636f53ca544..814ddc42f1f4 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -1,6 +1,7 @@
 config SECURITY_SELINUX
        bool "NSA SELinux Support"
        depends on SECURITY_NETWORK && AUDIT && NET && INET
+        select NETWORK_SECMARK
        default n
        help
          This selects NSA Security-Enhanced Linux (SELinux).
@@ -95,3 +96,31 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
          via /selinux/checkreqprot if authorized by policy.
          If you are unsure how to answer this question, answer 1.
+config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
+        bool "NSA SELinux enable new secmark network controls by default"
+        depends on SECURITY_SELINUX
+        default n
+        help
+          This option determines whether the new secmark-based network
+          controls will be enabled by default.  If not, the old internal
+          per-packet controls will be enabled by default, preserving
+          old behavior.
+          If you enable the new controls, you will need updated
+          SELinux userspace libraries, tools and policy.  Typically,
+          your distribution will provide these and enable the new controls
+          in the kernel they also distribute.
+          Note that this option can be overriden at boot with the
+          selinux_compat_net parameter, and after boot via
+          /selinux/compat_net.  See Documentation/kernel-parameters.txt
+          for details on this parameter.
+          If you enable the new network controls, you will likely
+          also require the SECMARK and CONNSECMARK targets, as
+          well as any conntrack helpers for protocols which you
+          wish to control.
+          If you are unsure what do do here, select N.

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index f636f53ca544..814ddc42f1f4 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig
@@ -1,6 +1,7 @@
1	config SECURITY_SELINUX	1	config SECURITY_SELINUX
2	bool "NSA SELinux Support"	2	bool "NSA SELinux Support"
3	depends on SECURITY_NETWORK && AUDIT && NET && INET	3	depends on SECURITY_NETWORK && AUDIT && NET && INET
		4	select NETWORK_SECMARK
4	default n	5	default n
5	help	6	help
6	This selects NSA Security-Enhanced Linux (SELinux).	7	This selects NSA Security-Enhanced Linux (SELinux).
@@ -95,3 +96,31 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
95	via /selinux/checkreqprot if authorized by policy.	96	via /selinux/checkreqprot if authorized by policy.
96		97
97	If you are unsure how to answer this question, answer 1.	98	If you are unsure how to answer this question, answer 1.
		99
		100	config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
		101	bool "NSA SELinux enable new secmark network controls by default"
		102	depends on SECURITY_SELINUX
		103	default n
		104	help
		105	This option determines whether the new secmark-based network
		106	controls will be enabled by default. If not, the old internal
		107	per-packet controls will be enabled by default, preserving
		108	old behavior.
		109
		110	If you enable the new controls, you will need updated
		111	SELinux userspace libraries, tools and policy. Typically,
		112	your distribution will provide these and enable the new controls
		113	in the kernel they also distribute.
		114
		115	Note that this option can be overriden at boot with the
		116	selinux_compat_net parameter, and after boot via
		117	/selinux/compat_net. See Documentation/kernel-parameters.txt
		118	for details on this parameter.
		119
		120	If you enable the new network controls, you will likely
		121	also require the SECMARK and CONNSECMARK targets, as
		122	well as any conntrack helpers for protocols which you
		123	wish to control.
		124
		125	If you are unsure what do do here, select N.
		126