@@ -19,11 +19,18 @@ CONFIG_INET=y
CONFIG_IPV6=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_SELINUX=y
+
+# For testing of labeled IPSEC, NetLabel, and SECMARK functionality.
+# Not strictly required for basic SELinux operation.
+CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_NETLABEL=y
CONFIG_IP_NF_SECURITY=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
+CONFIG_INET_AH=m
+CONFIG_INET6_XFRM_MODE_TRANSPORT=m
+CONFIG_INET6_AH=m
+CONFIG_CRYPTO_SHA1=m # used for testing, could be updated if desired
CONFIG_NETWORK_SECMARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
@@ -47,6 +54,18 @@ CONFIG_IP_SCTP=m
CONFIG_BT=m
CONFIG_CRYPTO_USER_API=m
+# Netlink protocol implementations.
+# These are enabled to test the netlink socket controls in
+# tests/netlink_socket; they are not required for SELinux operation itself.
+CONFIG_SCSI_FC_ATTRS=m # selects CONFIG_SCSI_NETLINK
+CONFIG_NETFILTER_NETLINK=m
+CONFIG_CRYPTO_USER=m
+
+# Overlay fs.
+# This is enabled to test overlayfs SELinux integration.
+# It is not required for SELinux operation itself.
+CONFIG_OVERLAY_FS=m
+
Do not set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX; it is an
option for legacy distributions (Fedora 3 and 4).
Add several config options that are required by the inet_socket, netlink_socket, and overlay tests. Note that these are not required for basic SELinux operation itself but merely to test the corresponding functionality. Discovered these undocumented dependencies upon running selinux-testsuite after running make localmodconfig and then re-adding the already documented config options to my config; these three tests had failures due to the missing config options. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- README | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-)