68f2c6f44c
Disabled by default, as most systems don't want/need this.
44 lines
885 B
Plaintext
44 lines
885 B
Plaintext
#
|
|
# This file contains the policy capabilites
|
|
# that are enabled in this policy, not a
|
|
# declaration of DAC capabilites such as
|
|
# dac_override.
|
|
#
|
|
# The affected object classes and their
|
|
# permissions should also be listed in
|
|
# the comments for each capability.
|
|
#
|
|
|
|
# Enable additional networking access control for
|
|
# labeled networking peers.
|
|
#
|
|
# Checks enabled:
|
|
# node: sendto recvfrom
|
|
# netif: ingress egress
|
|
# peer: recv
|
|
#
|
|
policycap network_peer_controls;
|
|
|
|
# Enable additional access controls for opening
|
|
# a file (and similar objects).
|
|
#
|
|
# Checks enabled:
|
|
# dir: open
|
|
# file: open
|
|
# fifo_file: open
|
|
# sock_file: open
|
|
# chr_file: open
|
|
# blk_file: open
|
|
#
|
|
policycap open_perms;
|
|
|
|
# Always enforce network access controls, even
|
|
# if labeling is not configured for them.
|
|
# Available in kernel 3.13+
|
|
#
|
|
# Checks enabled:
|
|
# packet: send recv
|
|
# peer: recv
|
|
#
|
|
# policycap always_check_network;
|