selinux-refpolicy/policy/policy_capabilities
Chris PeBenito 68f2c6f44c Add always_check_network policy capability.
Disabled by default, as most systems don't want/need this.
2015-01-27 17:25:36 -05:00

44 lines
885 B
Plaintext

#
# This file contains the policy capabilites
# that are enabled in this policy, not a
# declaration of DAC capabilites such as
# dac_override.
#
# The affected object classes and their
# permissions should also be listed in
# the comments for each capability.
#
# Enable additional networking access control for
# labeled networking peers.
#
# Checks enabled:
# node: sendto recvfrom
# netif: ingress egress
# peer: recv
#
policycap network_peer_controls;
# Enable additional access controls for opening
# a file (and similar objects).
#
# Checks enabled:
# dir: open
# file: open
# fifo_file: open
# sock_file: open
# chr_file: open
# blk_file: open
#
policycap open_perms;
# Always enforce network access controls, even
# if labeling is not configured for them.
# Available in kernel 3.13+
#
# Checks enabled:
# packet: send recv
# peer: recv
#
# policycap always_check_network;