libsepol: Define extended_socket_class policy capability

Define the extended_socket_class policy capability used to enable
the use of separate socket security classes for all network address
families rather than the generic socket class. This also enables
separate security classes for ICMP and SCTP sockets, which were previously
mapped to the rawip_socket class.

The legacy redhat1 policy capability that was only ever used in testing
within Fedora for ptrace_child is reclaimed for this purpose; as far as
I can tell, this policy capability is not enabled in any supported distro
policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2016-12-01 11:08:06 -05:00
parent 31fcd66d39
commit d479baa82d
2 changed files with 2 additions and 2 deletions

View File

@ -9,7 +9,7 @@ extern "C" {
enum {
POLICYDB_CAPABILITY_NETPEER,
POLICYDB_CAPABILITY_OPENPERM,
POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
POLICYDB_CAPABILITY_EXTSOCKCLASS,
POLICYDB_CAPABILITY_ALWAYSNETWORK,
__POLICYDB_CAPABILITY_MAX
};

View File

@ -8,7 +8,7 @@
static const char *polcap_names[] = {
"network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
"open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
"redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
"extended_socket_class", /* POLICYDB_CAPABILITY_EXTSOCKCLASS */
"always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
NULL
};