aboutsummaryrefslogtreecommitdiff
blob: c6b84d8c7c393e7ddc496cea86ee2020fd6312b9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#
# This file contains the policy capabilities
# that are enabled in this policy, not a
# declaration of DAC capabilities such as
# dac_override.
#
# The affected object classes and their
# permissions should also be listed in
# the comments for each capability.
#

# Enable additional networking access control for
# labeled networking peers.
#
# Checks enabled:
# node: sendto recvfrom
# netif: ingress egress
# peer: recv
#
policycap network_peer_controls;

# Enable additional access controls for opening
# a file (and similar objects).
#
# Checks enabled:
# dir: open
# file: open
# fifo_file: open
# sock_file: open
# chr_file: open
# blk_file: open
#
policycap open_perms;

# Always enforce network access controls, even
# if labeling is not configured for them.
# Available in kernel 3.13+
#
# Checks enabled:
# packet: send recv
# peer: recv
#
# policycap always_check_network;

# Enable separate security classes for
# all network address families previously
# mapped to the socket class and for
# ICMP and SCTP sockets previously mapped
# to the rawip_socket class.
#
# Classes enabled:
# sctp_socket
# icmp_socket
# ax25_socket
# ipx_socket
# netrom_socket
# atmpvc_socket
# x25_socket
# rose_socket
# decnet_socket
# atmsvc_socket
# rds_socket
# irda_socket
# pppox_socket
# llc_socket
# can_socket
# tipc_socket
# bluetooth_socket
# iucv_socket
# rxrpc_socket
# isdn_socket
# phonet_socket
# ieee802154_socket
# caif_socket
# alg_socket
# nfc_socket
# vsock_socket
# kcm_socket
# qipcrtr_socket
# smc_socket
#
# Available in kernel 4.11+.
# Requires libsepol 2.7+ to build policy with this enabled.
#
policycap extended_socket_class;

# Enable fine-grained labeling of cgroup and cgroup2 filesystems.
# Requires Linux v4.11 and later.
#
# Added checks:
# (none)
policycap cgroup_seclabel;

# Enable NoNewPrivileges support.  Requires libsepol 2.7+
# and kernel 4.14.
#
# Checks enabled;
# process2: nnp_transition, nosuid_transition
#
policycap nnp_nosuid_transition;

# Enable extended genfscon labeling for symlinks.
# Requires libsepol 3.1 and kernel 5.7.
#
# Added checks:
# (none)
#
#policycap genfs_seclabel_symlinks;

# Always allow FIOCLEX and FIONCLEX ioctl.
# Requires libsepol 3.4 and kernel 5.18.
#
# Removed checks:
# common file/socket: ioctl { 0x5450 0x5451 }
#
#policycap ioctl_skip_cloexec;