Add always_check_network policy capability.

Disabled by default, as most systems don't want/need this.

policy/policy_capabilities

@@ -31,3 +31,13 @@ policycap network_peer_controls;
 # blk_file: open
 #
 policycap open_perms;
+
+# Always enforce network access controls, even
+# if labeling is not configured for them.
+# Available in kernel 3.13+
+#
+# Checks enabled:
+# packet: send recv
+# peer: recv
+#
+# policycap always_check_network;