69f287ae6f
Smack uses CIPSO to label internet packets and thus provide for access control on delivery of packets. The netfilter facility was not used to allow for Smack to work properly without netfilter configuration. Smack does not need netfilter, however there are cases where it would be handy. As a side effect, the labeling of local IPv4 packets can be optimized and the handling of local IPv6 packets is just all out better. The best part is that the netfilter tools use "contexts" that are just strings, and they work just as well for Smack as they do for SELinux. All of the conditional compilation for IPv6 was implemented by Rafal Krypa <r.krypa@samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
42 lines
1.5 KiB
Text
42 lines
1.5 KiB
Text
config SECURITY_SMACK
|
|
bool "Simplified Mandatory Access Control Kernel Support"
|
|
depends on NET
|
|
depends on INET
|
|
depends on SECURITY
|
|
select NETLABEL
|
|
select SECURITY_NETWORK
|
|
default n
|
|
help
|
|
This selects the Simplified Mandatory Access Control Kernel.
|
|
Smack is useful for sensitivity, integrity, and a variety
|
|
of other mandatory security schemes.
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SMACK_BRINGUP
|
|
bool "Reporting on access granted by Smack rules"
|
|
depends on SECURITY_SMACK
|
|
default n
|
|
help
|
|
Enable the bring-up ("b") access mode in Smack rules.
|
|
When access is granted by a rule with the "b" mode a
|
|
message about the access requested is generated. The
|
|
intention is that a process can be granted a wide set
|
|
of access initially with the bringup mode set on the
|
|
rules. The developer can use the information to
|
|
identify which rules are necessary and what accesses
|
|
may be inappropriate. The developer can reduce the
|
|
access rule set once the behavior is well understood.
|
|
This is a superior mechanism to the oft abused
|
|
"permissive" mode of other systems.
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SMACK_NETFILTER
|
|
bool "Packet marking using secmarks for netfilter"
|
|
depends on SECURITY_SMACK
|
|
depends on NETWORK_SECMARK
|
|
depends on NETFILTER
|
|
default n
|
|
help
|
|
This enables security marking of network packets using
|
|
Smack labels.
|
|
If you are unsure how to answer this question, answer N.
|