forked from luck/tmp_suning_uos_patched
339949be25
Presently mdp does not enable any SELinux policy capabilities in the dummy policy it generates. Thus, policies derived from it will by default lack various features commonly used in modern policies such as open permission, extended socket classes, network peer controls, etc. Split the policy capability definitions out into their own headers so that we can include them into mdp without pulling in other kernel headers and extend mdp generate policycap statements for the policy capabilities known to the kernel. Policy authors may wish to selectively remove some of these from the generated policy. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
21 lines
594 B
C
21 lines
594 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _SELINUX_POLICYCAP_H_
|
|
#define _SELINUX_POLICYCAP_H_
|
|
|
|
/* Policy capabilities */
|
|
enum {
|
|
POLICYDB_CAPABILITY_NETPEER,
|
|
POLICYDB_CAPABILITY_OPENPERM,
|
|
POLICYDB_CAPABILITY_EXTSOCKCLASS,
|
|
POLICYDB_CAPABILITY_ALWAYSNETWORK,
|
|
POLICYDB_CAPABILITY_CGROUPSECLABEL,
|
|
POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
|
|
POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS,
|
|
__POLICYDB_CAPABILITY_MAX
|
|
};
|
|
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
|
|
|
|
extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
|
|
|
|
#endif /* _SELINUX_POLICYCAP_H_ */
|