summaryrefslogtreecommitdiffstats
path: root/security/selinux/Kconfig
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-12-31 18:54:11 +0100
committerPaul Moore <paul.moore@hp.com>2008-12-31 18:54:11 +0100
commit277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (patch)
tree733f8694020df6ff8d9e21e2419b0df71aeb4351 /security/selinux/Kconfig
parentnetlabel: Update kernel configuration API (diff)
downloadlinux-277d342fc423fca5e66e677fe629d1b2f8f1b9e2.tar.xz
linux-277d342fc423fca5e66e677fe629d1b2f8f1b9e2.zip
selinux: Deprecate and schedule the removal of the the compat_net functionality
This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode. This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/Kconfig')
-rw-r--r--security/selinux/Kconfig27
1 files changed, 0 insertions, 27 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 26301dd651d3..bca1b74a4a2f 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -94,33 +94,6 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
If you are unsure how to answer this question, answer 1.
-config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
- bool "NSA SELinux enable new secmark network controls by default"
- depends on SECURITY_SELINUX
- default n
- help
- This option determines whether the new secmark-based network
- controls will be enabled by default. If not, the old internal
- per-packet controls will be enabled by default, preserving
- old behavior.
-
- If you enable the new controls, you will need updated
- SELinux userspace libraries, tools and policy. Typically,
- your distribution will provide these and enable the new controls
- in the kernel they also distribute.
-
- Note that this option can be overridden at boot with the
- selinux_compat_net parameter, and after boot via
- /selinux/compat_net. See Documentation/kernel-parameters.txt
- for details on this parameter.
-
- If you enable the new network controls, you will likely
- also require the SECMARK and CONNSECMARK targets, as
- well as any conntrack helpers for protocols which you
- wish to control.
-
- If you are unsure what to do here, select N.
-
config SECURITY_SELINUX_POLICYDB_VERSION_MAX
bool "NSA SELinux maximum supported policy format version"
depends on SECURITY_SELINUX