2008-04-18 14:21:01 +00:00
|
|
|
#
|
|
|
|
# This file contains the policy capabilites
|
|
|
|
# that are enabled in this policy, not a
|
|
|
|
# declaration of DAC capabilites such as
|
2008-10-16 16:09:20 +00:00
|
|
|
# dac_override.
|
2008-04-18 14:21:01 +00:00
|
|
|
#
|
|
|
|
# The affected object classes and their
|
|
|
|
# permissions should also be listed in
|
|
|
|
# the comments for each capability.
|
|
|
|
#
|
|
|
|
|
|
|
|
# Enable additional networking access control for
|
|
|
|
# labeled networking peers.
|
|
|
|
#
|
|
|
|
# Checks enabled:
|
|
|
|
# node: sendto recvfrom
|
|
|
|
# netif: ingress egress
|
|
|
|
# peer: recv
|
|
|
|
#
|
2009-02-03 15:45:30 +00:00
|
|
|
policycap network_peer_controls;
|
2008-04-18 14:21:01 +00:00
|
|
|
|
|
|
|
# Enable additional access controls for opening
|
|
|
|
# a file (and similar objects).
|
|
|
|
#
|
|
|
|
# Checks enabled:
|
|
|
|
# dir: open
|
|
|
|
# file: open
|
|
|
|
# fifo_file: open
|
2009-07-01 13:34:54 +00:00
|
|
|
# sock_file: open
|
2008-04-18 14:21:01 +00:00
|
|
|
# chr_file: open
|
|
|
|
# blk_file: open
|
|
|
|
#
|
2008-10-16 16:09:20 +00:00
|
|
|
policycap open_perms;
|
2015-01-27 22:25:36 +00:00
|
|
|
|
|
|
|
# Always enforce network access controls, even
|
|
|
|
# if labeling is not configured for them.
|
|
|
|
# Available in kernel 3.13+
|
|
|
|
#
|
|
|
|
# Checks enabled:
|
|
|
|
# packet: send recv
|
|
|
|
# peer: recv
|
|
|
|
#
|
|
|
|
# policycap always_check_network;
|
2016-12-08 18:35:27 +00:00
|
|
|
|
|
|
|
# Enable separate security classes for
|
|
|
|
# all network address families previously
|
|
|
|
# mapped to the socket class and for
|
|
|
|
# ICMP and SCTP sockets previously mapped
|
|
|
|
# to the rawip_socket class.
|
|
|
|
#
|
|
|
|
# Classes enabled:
|
|
|
|
# sctp_socket
|
|
|
|
# icmp_socket
|
|
|
|
# ax25_socket
|
|
|
|
# ipx_socket
|
|
|
|
# netrom_socket
|
|
|
|
# atmpvc_socket
|
|
|
|
# x25_socket
|
|
|
|
# rose_socket
|
|
|
|
# decnet_socket
|
|
|
|
# atmsvc_socket
|
|
|
|
# rds_socket
|
|
|
|
# irda_socket
|
|
|
|
# pppox_socket
|
|
|
|
# llc_socket
|
|
|
|
# can_socket
|
|
|
|
# tipc_socket
|
|
|
|
# bluetooth_socket
|
|
|
|
# iucv_socket
|
|
|
|
# rxrpc_socket
|
|
|
|
# isdn_socket
|
|
|
|
# phonet_socket
|
|
|
|
# ieee802154_socket
|
|
|
|
# caif_socket
|
|
|
|
# alg_socket
|
|
|
|
# nfc_socket
|
|
|
|
# vsock_socket
|
|
|
|
# kcm_socket
|
|
|
|
# qipcrtr_socket
|
2017-05-17 15:31:48 +00:00
|
|
|
# smc_socket
|
2016-12-08 18:35:27 +00:00
|
|
|
#
|
|
|
|
# Available in kernel 4.11+.
|
|
|
|
# Requires libsepol 2.7+ to build policy with this enabled.
|
|
|
|
#
|
2017-08-05 16:01:00 +00:00
|
|
|
policycap extended_socket_class;
|
2017-08-05 16:13:21 +00:00
|
|
|
|
2017-08-05 16:15:02 +00:00
|
|
|
# Enable fine-grained labeling of cgroup and cgroup2 filesystems.
|
|
|
|
# Requires Linux v4.11 and later.
|
|
|
|
#
|
|
|
|
# Added checks:
|
|
|
|
# (none)
|
2018-01-16 23:52:39 +00:00
|
|
|
policycap cgroup_seclabel;
|
2017-08-05 16:15:02 +00:00
|
|
|
|
2017-08-05 16:13:21 +00:00
|
|
|
# Enable NoNewPrivileges support. Requires libsepol 2.7+
|
2018-01-16 23:52:39 +00:00
|
|
|
# and kernel 4.14.
|
2017-08-05 16:13:21 +00:00
|
|
|
#
|
|
|
|
# Checks enabled;
|
|
|
|
# process2: nnp_transition, nosuid_transition
|
|
|
|
#
|
2018-01-16 23:52:39 +00:00
|
|
|
policycap nnp_nosuid_transition;
|