mirror of https://github.com/hak5/openwrt.git
config: add KERNEL_LSM symbol
The LSM (Linux security mechanism) list is the successor of the now legacy *major LSM*. Instead of defining a single security mechanism the LSM symbol is a comma separated list of mechanisms to load. Until recently OpenWrt would only support DAC (Unix discretionary access controls) which don't require an additional entry in the LSM list. With the newly introduced SELinux support the LSM needs to be extended else only a manual modified Kernel cmdline (`security=selinux`) would activate SELinux. As the default OpenWrt Kernel config sets DAC as default security mechanism, SELinux is stripped from the LSM list, even if `KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without a modified cmdline this commit sets a specific LSM list if `KERNEL_SECURITY_SELINUX` is enabled. The upstream Kconfig adds even more mechanisms (smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt, these can be ignored. To compile SELinux Kernel support but disable it from loading, the already present options `KERNEL_SECURITY_SELINUX_DISABLE` or `KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`) can be used. Further it's possible to edit `/etc/selinux/config`. Signed-off-by: Paul Spooren <mail@aparcar.org>master
parent
45a81f7056
commit
f922a3e00e
|
@ -1133,18 +1133,10 @@ config KERNEL_SECURITY_SELINUX_DEVELOP
|
||||||
bool "NSA SELinux Development Support"
|
bool "NSA SELinux Development Support"
|
||||||
depends on KERNEL_SECURITY_SELINUX
|
depends on KERNEL_SECURITY_SELINUX
|
||||||
|
|
||||||
choice
|
config KERNEL_LSM
|
||||||
prompt "First legacy 'major LSM' to be initialized"
|
string
|
||||||
|
default "lockdown,yama,loadpin,safesetid,integrity,selinux"
|
||||||
depends on KERNEL_SECURITY_SELINUX
|
depends on KERNEL_SECURITY_SELINUX
|
||||||
default KERNEL_DEFAULT_SECURITY_SELINUX
|
|
||||||
|
|
||||||
config KERNEL_DEFAULT_SECURITY_SELINUX
|
|
||||||
bool "SELinux"
|
|
||||||
|
|
||||||
config KERNEL_DEFAULT_SECURITY_DAC
|
|
||||||
bool "Unix Discretionary Access Controls"
|
|
||||||
|
|
||||||
endchoice
|
|
||||||
|
|
||||||
config KERNEL_EXT4_FS_SECURITY
|
config KERNEL_EXT4_FS_SECURITY
|
||||||
bool "Ext4 Security Labels"
|
bool "Ext4 Security Labels"
|
||||||
|
|
Loading…
Reference in New Issue