trunk: Add file for enabling policy capabilities.
This commit is contained in:
Chris PeBenito
parent
75da4b8ad3
commit
c07f9ccd18
|
|
@ -1,3 +1,4 @@
|
||||||
|
- Add file for enabling policy capabilities.
|
||||||
- Patch to fix leaky interface/template call depth calculator from Vaclav
|
- Patch to fix leaky interface/template call depth calculator from Vaclav
|
||||||
Ovsik.
|
Ovsik.
|
||||||
|
|
||||||
|
|
|
||||||
1
Makefile
1
Makefile
|
|
@ -130,6 +130,7 @@ globaltun = $(poldir)/global_tunables
|
||||||
globalbool = $(poldir)/global_booleans
|
globalbool = $(poldir)/global_booleans
|
||||||
rolemap = $(poldir)/rolemap
|
rolemap = $(poldir)/rolemap
|
||||||
user_files := $(poldir)/users
|
user_files := $(poldir)/users
|
||||||
|
policycaps := $(poldir)/policy_capabilities
|
||||||
|
|
||||||
# local config file paths
|
# local config file paths
|
||||||
ifndef LOCAL_ROOT
|
ifndef LOCAL_ROOT
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ users_extra := $(tmpdir)/users_extra
|
||||||
|
|
||||||
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
||||||
|
|
||||||
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
|
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
||||||
base_te_files := $(base_mods)
|
base_te_files := $(base_mods)
|
||||||
base_post_te_files := $(user_files) $(poldir)/constraints
|
base_post_te_files := $(user_files) $(poldir)/constraints
|
||||||
base_fc_files := $(base_mods:.te=.fc)
|
base_fc_files := $(base_mods:.te=.fc)
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
|
||||||
all_te_files := $(all_modules)
|
all_te_files := $(all_modules)
|
||||||
all_fc_files := $(all_modules:.te=.fc)
|
all_fc_files := $(all_modules:.te=.fc)
|
||||||
|
|
||||||
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
|
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
||||||
post_te_files := $(user_files) $(poldir)/constraints
|
post_te_files := $(user_files) $(poldir)/constraints
|
||||||
|
|
||||||
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,33 @@
|
||||||
|
#
|
||||||
|
# This file contains the policy capabilites
|
||||||
|
# that are enabled in this policy, not a
|
||||||
|
# declaration of DAC capabilites such as
|
||||||
|
# CAP_DAC_OVERRIDE.
|
||||||
|
#
|
||||||
|
# The affected object classes and their
|
||||||
|
# permissions should also be listed in
|
||||||
|
# the comments for each capability.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Enable additional networking access control for
|
||||||
|
# labeled networking peers.
|
||||||
|
#
|
||||||
|
# Checks enabled:
|
||||||
|
# node: sendto recvfrom
|
||||||
|
# netif: ingress egress
|
||||||
|
# peer: recv
|
||||||
|
#
|
||||||
|
#policycap network_peer_controls;
|
||||||
|
|
||||||
|
# Enable additional access controls for opening
|
||||||
|
# a file (and similar objects).
|
||||||
|
#
|
||||||
|
# Checks enabled:
|
||||||
|
# dir: open
|
||||||
|
# file: open
|
||||||
|
# lnk_file: open
|
||||||
|
# fifo_file: open
|
||||||
|
# chr_file: open
|
||||||
|
# blk_file: open
|
||||||
|
#
|
||||||
|
#policycap open_perms;
|
||||||
Loading…
Reference in New Issue