9aeabd2a3e
Add new future policy capability ioctl_skip_cloexec. Drop estimate comments from genfs_seclabel_symlinks. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
117 lines
2.3 KiB
Plaintext
117 lines
2.3 KiB
Plaintext
#
|
|
# This file contains the policy capabilities
|
|
# that are enabled in this policy, not a
|
|
# declaration of DAC capabilities such as
|
|
# dac_override.
|
|
#
|
|
# The affected object classes and their
|
|
# permissions should also be listed in
|
|
# the comments for each capability.
|
|
#
|
|
|
|
# Enable additional networking access control for
|
|
# labeled networking peers.
|
|
#
|
|
# Checks enabled:
|
|
# node: sendto recvfrom
|
|
# netif: ingress egress
|
|
# peer: recv
|
|
#
|
|
policycap network_peer_controls;
|
|
|
|
# Enable additional access controls for opening
|
|
# a file (and similar objects).
|
|
#
|
|
# Checks enabled:
|
|
# dir: open
|
|
# file: open
|
|
# fifo_file: open
|
|
# sock_file: open
|
|
# chr_file: open
|
|
# blk_file: open
|
|
#
|
|
policycap open_perms;
|
|
|
|
# Always enforce network access controls, even
|
|
# if labeling is not configured for them.
|
|
# Available in kernel 3.13+
|
|
#
|
|
# Checks enabled:
|
|
# packet: send recv
|
|
# peer: recv
|
|
#
|
|
# policycap always_check_network;
|
|
|
|
# Enable separate security classes for
|
|
# all network address families previously
|
|
# mapped to the socket class and for
|
|
# ICMP and SCTP sockets previously mapped
|
|
# to the rawip_socket class.
|
|
#
|
|
# Classes enabled:
|
|
# sctp_socket
|
|
# icmp_socket
|
|
# ax25_socket
|
|
# ipx_socket
|
|
# netrom_socket
|
|
# atmpvc_socket
|
|
# x25_socket
|
|
# rose_socket
|
|
# decnet_socket
|
|
# atmsvc_socket
|
|
# rds_socket
|
|
# irda_socket
|
|
# pppox_socket
|
|
# llc_socket
|
|
# can_socket
|
|
# tipc_socket
|
|
# bluetooth_socket
|
|
# iucv_socket
|
|
# rxrpc_socket
|
|
# isdn_socket
|
|
# phonet_socket
|
|
# ieee802154_socket
|
|
# caif_socket
|
|
# alg_socket
|
|
# nfc_socket
|
|
# vsock_socket
|
|
# kcm_socket
|
|
# qipcrtr_socket
|
|
# smc_socket
|
|
#
|
|
# Available in kernel 4.11+.
|
|
# Requires libsepol 2.7+ to build policy with this enabled.
|
|
#
|
|
policycap extended_socket_class;
|
|
|
|
# Enable fine-grained labeling of cgroup and cgroup2 filesystems.
|
|
# Requires Linux v4.11 and later.
|
|
#
|
|
# Added checks:
|
|
# (none)
|
|
policycap cgroup_seclabel;
|
|
|
|
# Enable NoNewPrivileges support. Requires libsepol 2.7+
|
|
# and kernel 4.14.
|
|
#
|
|
# Checks enabled;
|
|
# process2: nnp_transition, nosuid_transition
|
|
#
|
|
policycap nnp_nosuid_transition;
|
|
|
|
# Enable extended genfscon labeling for symlinks.
|
|
# Requires libsepol 3.1 and kernel 5.7.
|
|
#
|
|
# Added checks:
|
|
# (none)
|
|
#
|
|
#policycap genfs_seclabel_symlinks;
|
|
|
|
# Always allow FIOCLEX and FIONCLEX ioctl.
|
|
# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated).
|
|
#
|
|
# Removed checks:
|
|
# common file/socket: ioctl { 0x5450 0x5451 }
|
|
#
|
|
#policycap ioctl_skip_cloexec;
|