Chris PeBenito 31b7c0
# FLASK
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Define the security context for each initial SID
Chris PeBenito 31b7c0
# sid sidname   context
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
sid kernel	system_u:system_r:kernel_t:s15:c0.c255
Chris PeBenito 31b7c0
sid security	system_u:object_r:security_t:s15:c0.c255
Chris PeBenito 31b7c0
sid unlabeled	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid fs		system_u:object_r:fs_t:s0
Chris PeBenito 31b7c0
sid file	system_u:object_r:file_t:s0
Chris PeBenito 31b7c0
# Persistent label mapping is gone.  This initial SID can be removed.
Chris PeBenito 31b7c0
sid file_labels	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
# init_t is still used, but an initial SID is no longer required.
Chris PeBenito 31b7c0
sid init	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
# any_socket is no longer used.
Chris PeBenito 31b7c0
sid any_socket 	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid port	system_u:object_r:port_t:s0
Chris PeBenito 31b7c0
sid netif	system_u:object_r:netif_t:s0
Chris PeBenito 31b7c0
# netmsg is no longer used.
Chris PeBenito 31b7c0
sid netmsg	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid node	system_u:object_r:node_t:s0
Chris PeBenito 31b7c0
# These sockets are now labeled with the kernel SID,
Chris PeBenito 31b7c0
# and do not require their own initial SIDs.
Chris PeBenito 31b7c0
sid igmp_packet system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid icmp_socket system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid tcp_socket  system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
# Most of the sysctl SIDs are now computed at runtime
Chris PeBenito 31b7c0
# from genfs_contexts, so the corresponding initial SIDs
Chris PeBenito 31b7c0
# are no longer required.
Chris PeBenito 31b7c0
sid sysctl_modprobe	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
# But we still need the base sysctl initial SID as a default.
Chris PeBenito 31b7c0
sid sysctl	system_u:object_r:sysctl_t:s0
Chris PeBenito 31b7c0
sid sysctl_fs	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid sysctl_kernel	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid sysctl_net	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid sysctl_net_unix	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid sysctl_vm	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid sysctl_dev	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
# No longer used, can be removed.
Chris PeBenito 31b7c0
sid kmod	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid policy	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid scmp_packet	system_u:object_r:unlabeled_t:s15:c0.c255
Chris PeBenito 31b7c0
sid devnull	system_u:object_r:null_device_t:s0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# FLASK