mirror of
https://github.com/SELinuxProject/selinux
synced 2025-03-04 17:27:32 +00:00
01723ac2ce
Currently the packet class in SELinux is not checked if there are no SECMARK rules in the security or mangle netfilter tables. Similarly, the peer class is not checked if there is no NetLabel or labeled IPSEC. Some systems prefer that these classes are always checked, for example, to protect the system should the netfilter rules fail to load or if the nefilter rules were maliciously flushed. Add the always_check_network policy capability which, when enabled, treats these mechanisms as enabled, even if there are no labeling rules. Signed-off-by: Chris PeBenito <cpebenito@tresys.com> Signed-off-by: Eric Paris <eparis@redhat.com> |
||
|---|---|---|
| .. | ||
| policydb | ||
| boolean_record.h | ||
| booleans.h | ||
| context_record.h | ||
| context.h | ||
| debug.h | ||
| errcodes.h | ||
| handle.h | ||
| iface_record.h | ||
| interfaces.h | ||
| module.h | ||
| node_record.h | ||
| nodes.h | ||
| policydb.h | ||
| port_record.h | ||
| ports.h | ||
| roles.h | ||
| sepol.h | ||
| user_record.h | ||
| users.h | ||