[selinux-policy: 1924/3172] trunk: Add file for enabling policy capabilities.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:51:18 UTC 2010 

commit c07f9ccd18ff1c2518845817b429771368dd4831
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Apr 18 14:21:01 2008 +0000

    trunk: Add file for enabling policy capabilities.

 Changelog                  |    1 +
 Makefile                   |    1 +
 Rules.modular              |    2 +-
 Rules.monolithic           |    2 +-
 policy/policy_capabilities |   33 +++++++++++++++++++++++++++++++++
 5 files changed, 37 insertions(+), 2 deletions(-)
---
diff --git a/Changelog b/Changelog
index aa6d05b..4529e65 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add file for enabling policy capabilities.
 - Patch to fix leaky interface/template call depth calculator from Vaclav
   Ovsik.
 
diff --git a/Makefile b/Makefile
index a08c983..ec7c7d5 100644
--- a/Makefile
+++ b/Makefile
@@ -130,6 +130,7 @@ globaltun = $(poldir)/global_tunables
 globalbool = $(poldir)/global_booleans
 rolemap = $(poldir)/rolemap
 user_files := $(poldir)/users
+policycaps := $(poldir)/policy_capabilities
 
 # local config file paths
 ifndef LOCAL_ROOT
diff --git a/Rules.modular b/Rules.modular
index 1b767b0..03dca50 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -15,7 +15,7 @@ users_extra := $(tmpdir)/users_extra
 
 base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
 
-base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
+base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
 base_te_files := $(base_mods)
 base_post_te_files := $(user_files) $(poldir)/constraints
 base_fc_files := $(base_mods:.te=.fc)
diff --git a/Rules.monolithic b/Rules.monolithic
index a6b0d55..4b6acbc 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -32,7 +32,7 @@ all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
 all_te_files := $(all_modules)
 all_fc_files := $(all_modules:.te=.fc)
 
-pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
+pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
 post_te_files := $(user_files) $(poldir)/constraints
 
 policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
new file mode 100644
index 0000000..ad2d5d6
--- /dev/null
+++ b/policy/policy_capabilities
@@ -0,0 +1,33 @@
+#
+# This file contains the policy capabilites
+# that are enabled in this policy, not a
+# declaration of DAC capabilites such as
+# CAP_DAC_OVERRIDE.
+#
+# The affected object classes and their
+# permissions should also be listed in
+# the comments for each capability.
+#
+
+# Enable additional networking access control for
+# labeled networking peers.
+#
+# Checks enabled:
+# node: sendto recvfrom
+# netif: ingress egress
+# peer: recv
+#
+#policycap network_peer_controls;
+
+# Enable additional access controls for opening
+# a file (and similar objects).
+#
+# Checks enabled:
+# dir: open
+# file: open
+# lnk_file: open
+# fifo_file: open
+# chr_file: open
+# blk_file: open
+#
+#policycap open_perms;

More information about the scm-commits mailing list