diff --git a/Changelog b/Changelog index aa6d05b..4529e65 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add file for enabling policy capabilities. - Patch to fix leaky interface/template call depth calculator from Vaclav Ovsik. diff --git a/Makefile b/Makefile index a08c983..ec7c7d5 100644 --- a/Makefile +++ b/Makefile @@ -130,6 +130,7 @@ globaltun = $(poldir)/global_tunables globalbool = $(poldir)/global_booleans rolemap = $(poldir)/rolemap user_files := $(poldir)/users +policycaps := $(poldir)/policy_capabilities # local config file paths ifndef LOCAL_ROOT diff --git a/Rules.modular b/Rules.modular index 1b767b0..03dca50 100644 --- a/Rules.modular +++ b/Rules.modular @@ -15,7 +15,7 @@ users_extra := $(tmpdir)/users_extra base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf -base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs +base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps) base_te_files := $(base_mods) base_post_te_files := $(user_files) $(poldir)/constraints base_fc_files := $(base_mods:.te=.fc) diff --git a/Rules.monolithic b/Rules.monolithic index a6b0d55..4b6acbc 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -32,7 +32,7 @@ all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if) all_te_files := $(all_modules) all_fc_files := $(all_modules:.te=.fc) -pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs +pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps) post_te_files := $(user_files) $(poldir)/constraints policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf diff --git a/policy/policy_capabilities b/policy/policy_capabilities new file mode 100644 index 0000000..ad2d5d6 --- /dev/null +++ b/policy/policy_capabilities @@ -0,0 +1,33 @@ +# +# This file contains the policy capabilites +# that are enabled in this policy, not a +# declaration of DAC capabilites such as +# CAP_DAC_OVERRIDE. +# +# The affected object classes and their +# permissions should also be listed in +# the comments for each capability. +# + +# Enable additional networking access control for +# labeled networking peers. +# +# Checks enabled: +# node: sendto recvfrom +# netif: ingress egress +# peer: recv +# +#policycap network_peer_controls; + +# Enable additional access controls for opening +# a file (and similar objects). +# +# Checks enabled: +# dir: open +# file: open +# lnk_file: open +# fifo_file: open +# chr_file: open +# blk_file: open +# +#policycap open_perms;