mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-14 01:54:42 +00:00
libsepol: Define extended_socket_class policy capability
Define the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. This also enables separate security classes for ICMP and SCTP sockets, which were previously mapped to the rawip_socket class. The legacy redhat1 policy capability that was only ever used in testing within Fedora for ptrace_child is reclaimed for this purpose; as far as I can tell, this policy capability is not enabled in any supported distro policy. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
31fcd66d39
commit
d479baa82d
@ -9,7 +9,7 @@ extern "C" {
|
||||
enum {
|
||||
POLICYDB_CAPABILITY_NETPEER,
|
||||
POLICYDB_CAPABILITY_OPENPERM,
|
||||
POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
|
||||
POLICYDB_CAPABILITY_EXTSOCKCLASS,
|
||||
POLICYDB_CAPABILITY_ALWAYSNETWORK,
|
||||
__POLICYDB_CAPABILITY_MAX
|
||||
};
|
||||
|
@ -8,7 +8,7 @@
|
||||
static const char *polcap_names[] = {
|
||||
"network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
|
||||
"open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
|
||||
"redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
|
||||
"extended_socket_class", /* POLICYDB_CAPABILITY_EXTSOCKCLASS */
|
||||
"always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
|
||||
NULL
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user