cfe0a94feb
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class. As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11. Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
86 lines
1.6 KiB
Plaintext
86 lines
1.6 KiB
Plaintext
#
|
|
# This file contains the policy capabilites
|
|
# that are enabled in this policy, not a
|
|
# declaration of DAC capabilites such as
|
|
# dac_override.
|
|
#
|
|
# The affected object classes and their
|
|
# permissions should also be listed in
|
|
# the comments for each capability.
|
|
#
|
|
|
|
# Enable additional networking access control for
|
|
# labeled networking peers.
|
|
#
|
|
# Checks enabled:
|
|
# node: sendto recvfrom
|
|
# netif: ingress egress
|
|
# peer: recv
|
|
#
|
|
policycap network_peer_controls;
|
|
|
|
# Enable additional access controls for opening
|
|
# a file (and similar objects).
|
|
#
|
|
# Checks enabled:
|
|
# dir: open
|
|
# file: open
|
|
# fifo_file: open
|
|
# sock_file: open
|
|
# chr_file: open
|
|
# blk_file: open
|
|
#
|
|
policycap open_perms;
|
|
|
|
# Always enforce network access controls, even
|
|
# if labeling is not configured for them.
|
|
# Available in kernel 3.13+
|
|
#
|
|
# Checks enabled:
|
|
# packet: send recv
|
|
# peer: recv
|
|
#
|
|
# policycap always_check_network;
|
|
|
|
# Enable separate security classes for
|
|
# all network address families previously
|
|
# mapped to the socket class and for
|
|
# ICMP and SCTP sockets previously mapped
|
|
# to the rawip_socket class.
|
|
#
|
|
# Classes enabled:
|
|
# sctp_socket
|
|
# icmp_socket
|
|
# ax25_socket
|
|
# ipx_socket
|
|
# netrom_socket
|
|
# atmpvc_socket
|
|
# x25_socket
|
|
# rose_socket
|
|
# decnet_socket
|
|
# atmsvc_socket
|
|
# rds_socket
|
|
# irda_socket
|
|
# pppox_socket
|
|
# llc_socket
|
|
# can_socket
|
|
# tipc_socket
|
|
# bluetooth_socket
|
|
# iucv_socket
|
|
# rxrpc_socket
|
|
# isdn_socket
|
|
# phonet_socket
|
|
# ieee802154_socket
|
|
# caif_socket
|
|
# alg_socket
|
|
# nfc_socket
|
|
# vsock_socket
|
|
# kcm_socket
|
|
# qipcrtr_socket
|
|
# smc_socket
|
|
#
|
|
# Available in kernel 4.11+.
|
|
# Requires libsepol 2.7+ to build policy with this enabled.
|
|
#
|
|
#policycap extended_socket_class;
|