trunk: Add file for enabling policy capabilities.

Changelog

@@ -1,3 +1,4 @@
+- Add file for enabling policy capabilities.
 - Patch to fix leaky interface/template call depth calculator from Vaclav
   Ovsik.
 

Makefile

@@ -130,6 +130,7 @@ globaltun = $(poldir)/global_tunables
 globalbool = $(poldir)/global_booleans
 rolemap = $(poldir)/rolemap
 user_files := $(poldir)/users
+policycaps := $(poldir)/policy_capabilities
 
 # local config file paths
 ifndef LOCAL_ROOT

Rules.modular

@@ -15,7 +15,7 @@ users_extra := $(tmpdir)/users_extra
 
 base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
 
-base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
+base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
 base_te_files := $(base_mods)
 base_post_te_files := $(user_files) $(poldir)/constraints
 base_fc_files := $(base_mods:.te=.fc)

Rules.monolithic

@@ -32,7 +32,7 @@ all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
 all_te_files := $(all_modules)
 all_fc_files := $(all_modules:.te=.fc)
 
-pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
+pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
 post_te_files := $(user_files) $(poldir)/constraints
 
 policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf

policy/policy_capabilities

@@ -0,0 +1,33 @@
+#
+# This file contains the policy capabilites
+# that are enabled in this policy, not a
+# declaration of DAC capabilites such as
+# CAP_DAC_OVERRIDE.
+#
+# The affected object classes and their
+# permissions should also be listed in
+# the comments for each capability.
+#
+
+# Enable additional networking access control for
+# labeled networking peers.
+#
+# Checks enabled:
+# node: sendto recvfrom
+# netif: ingress egress
+# peer: recv
+#
+#policycap network_peer_controls;
+
+# Enable additional access controls for opening
+# a file (and similar objects).
+#
+# Checks enabled:
+# dir: open
+# file: open
+# lnk_file: open
+# fifo_file: open
+# chr_file: open
+# blk_file: open
+#
+#policycap open_perms;