trunk: Add file for enabling policy capabilities.

This commit is contained in:
Chris PeBenito 2008-04-18 14:21:01 +00:00
parent 75da4b8ad3
commit c07f9ccd18
5 changed files with 37 additions and 2 deletions

View File

@ -1,3 +1,4 @@
- Add file for enabling policy capabilities.
- Patch to fix leaky interface/template call depth calculator from Vaclav
Ovsik.

View File

@ -130,6 +130,7 @@ globaltun = $(poldir)/global_tunables
globalbool = $(poldir)/global_booleans
rolemap = $(poldir)/rolemap
user_files := $(poldir)/users
policycaps := $(poldir)/policy_capabilities
# local config file paths
ifndef LOCAL_ROOT

View File

@ -15,7 +15,7 @@ users_extra := $(tmpdir)/users_extra
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
base_te_files := $(base_mods)
base_post_te_files := $(user_files) $(poldir)/constraints
base_fc_files := $(base_mods:.te=.fc)

View File

@ -32,7 +32,7 @@ all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
all_te_files := $(all_modules)
all_fc_files := $(all_modules:.te=.fc)
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
post_te_files := $(user_files) $(poldir)/constraints
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf

View File

@ -0,0 +1,33 @@
#
# This file contains the policy capabilites
# that are enabled in this policy, not a
# declaration of DAC capabilites such as
# CAP_DAC_OVERRIDE.
#
# The affected object classes and their
# permissions should also be listed in
# the comments for each capability.
#
# Enable additional networking access control for
# labeled networking peers.
#
# Checks enabled:
# node: sendto recvfrom
# netif: ingress egress
# peer: recv
#
#policycap network_peer_controls;
# Enable additional access controls for opening
# a file (and similar objects).
#
# Checks enabled:
# dir: open
# file: open
# lnk_file: open
# fifo_file: open
# chr_file: open
# blk_file: open
#
#policycap open_perms;