blob: 39e3930133ef4c93d55d7a43f181135bd3c7208e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
#
# This file contains the policy capabilites
# that are enabled in this policy, not a
# declaration of DAC capabilites such as
# dac_override.
#
# The affected object classes and their
# permissions should also be listed in
# the comments for each capability.
#
# Enable additional networking access control for
# labeled networking peers.
#
# Checks enabled:
# node: sendto recvfrom
# netif: ingress egress
# peer: recv
#
policycap network_peer_controls;
# Enable additional access controls for opening
# a file (and similar objects).
#
# Checks enabled:
# dir: open
# file: open
# fifo_file: open
# sock_file: open
# chr_file: open
# blk_file: open
#
policycap open_perms;
# Always enforce network access controls, even
# if labeling is not configured for them.
# Available in kernel 3.13+
#
# Checks enabled:
# packet: send recv
# peer: recv
#
# policycap always_check_network;
# Enable separate security classes for
# all network address families previously
# mapped to the socket class and for
# ICMP and SCTP sockets previously mapped
# to the rawip_socket class.
#
# Classes enabled:
# sctp_socket
# icmp_socket
# ax25_socket
# ipx_socket
# netrom_socket
# atmpvc_socket
# x25_socket
# rose_socket
# decnet_socket
# atmsvc_socket
# rds_socket
# irda_socket
# pppox_socket
# llc_socket
# can_socket
# tipc_socket
# bluetooth_socket
# iucv_socket
# rxrpc_socket
# isdn_socket
# phonet_socket
# ieee802154_socket
# caif_socket
# alg_socket
# nfc_socket
# vsock_socket
# kcm_socket
# qipcrtr_socket
#
# Available in kernel 4.11+.
# Requires libsepol 2.7+ to build policy with this enabled.
#
#policycap extended_socket_class;
|
GitWeb