libsepol: Define cgroup_seclabel policy capability

Define the new cgroup_seclabel policy capability used to enable userspace setting of security labels on cgroup files via setfscreatecon() aka /proc/self/attr/fscreate and/or setfilecon() aka setxattr(). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2025-02-27 15:00:39 +00:00 · 2017-02-28 10:26:48 -05:00 · 2017-02-28 10:26:48 -05:00 · 43b24f0132
commit 43b24f0132
parent ded385d377
2 changed files with 2 additions and 0 deletions
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@ -11,6 +11,7 @@ enum {
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_EXTSOCKCLASS,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
+	POLICYDB_CAPABILITY_CGROUPSECLABEL,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@ -10,6 +10,7 @@ static const char *polcap_names[] = {
 	"open_perms",			/* POLICYDB_CAPABILITY_OPENPERM */
 	"extended_socket_class",	/* POLICYDB_CAPABILITY_EXTSOCKCLASS */
 	"always_check_network",		/* POLICYDB_CAPABILITY_ALWAYSNETWORK */
+	"cgroup_seclabel",		/* POLICYDB_CAPABILITY_SECLABEL */
 	NULL
 };