Section 8.6. Security

8.6. Security

The Linux kernel supports different security models by providing hooks and letting you build in your choice of model. At the moment, only a few models come with the default kernel source tree, but developers of new models are working on getting more accepted.

8.6.1. Default Linux Capabilities

The standard type of security model for Linux is the "capability" model. You should always select this option unless you really want to run an insecure kernel for some reason.

To enable it:

 Security options     [*] Enable different security models     [*]   Default Linux Capabilities 

8.6.2. SELinux

A very popular security model is called SELinux. This model is supported by a number of different Linux distributions.

SELinux requires that the networking option be enabled. See the earlier section, "Networking," to enable this.

SELinux also requires that audit be enabled in the kernel configuration. To do this:

 General setup     [*] Auditing support 

Also, the networking security option must be enabled:

 Security options     [*] Enable different security models     [*]   Socket and Networking Security Hooks 

Now it is possible to select the SELinux option:

 Security options     [*] Enable different security models     [*] NSA SELinux Support 

There are also a number of individual SELinux options that you might wish to enable. Please see the help for the individual different items for more descriptions on what they do:

 Security options     [*] Enable different security models     [*] NSA SELinux Support     [ ]   NSA SELinux boot parameter     [ ]   NSA SELinux runtime disable     [*]   NSA SELinux Development Support     [*]   NSA SELinux AVC Statistics     (1)   NSA SELinux checkreqprot default value