selinux-refpolicy/policy
Stephen Smalley 09ebf2b59a refpolicy: Define extended_socket_class policy capability and socket classes
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains.  Allowing access
by other domains to the new socket security classes is left to future
commits.

The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:07:42 -05:00
..
flask refpolicy: Define extended_socket_class policy capability and socket classes 2016-12-08 18:07:42 -05:00
modules Module version bump for kernel sysctl patch from Luis Ressel 2016-12-06 20:26:43 -05:00
support refpolicy: Define extended_socket_class policy capability and socket classes 2016-12-08 18:07:42 -05:00
constraints remove trailing whitespaces 2016-12-06 13:45:13 +01:00
context_defaults Fix error in default_user example. 2014-04-28 10:19:22 -04:00
global_booleans Move secure_mode_policyload into selinux module as that is the only place it is used. 2011-09-26 09:53:23 -04:00
global_tunables user_udp_server tunable 2016-08-02 19:44:16 -04:00
mcs remove trailing whitespaces 2016-12-06 13:45:13 +01:00
mls remove trailing whitespaces 2016-12-06 13:45:13 +01:00
policy_capabilities refpolicy: Define extended_socket_class policy capability and socket classes 2016-12-08 18:07:42 -05:00
users Apply direct_initrc to unconfined_r:unconfined_t 2014-01-16 15:27:18 -05:00