summaryrefslogtreecommitdiff
path: root/scripts/selinux/mdp
diff options
context:
space:
mode:
authorStephen Smalley <stephen.smalley.work@gmail.com>2020-08-06 14:34:18 -0400
committerPaul Moore <paul@paul-moore.com>2020-08-17 20:42:00 -0400
commit339949be25863ac15e24659c2ab4b01185e1234a (patch)
treede4c7230a954ad27655ba2a8118877eb9c051f63 /scripts/selinux/mdp
parent9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 (diff)
downloadlwn-339949be25863ac15e24659c2ab4b01185e1234a.tar.gz
lwn-339949be25863ac15e24659c2ab4b01185e1234a.zip
scripts/selinux,selinux: update mdp to enable policy capabilities
Presently mdp does not enable any SELinux policy capabilities in the dummy policy it generates. Thus, policies derived from it will by default lack various features commonly used in modern policies such as open permission, extended socket classes, network peer controls, etc. Split the policy capability definitions out into their own headers so that we can include them into mdp without pulling in other kernel headers and extend mdp generate policycap statements for the policy capabilities known to the kernel. Policy authors may wish to selectively remove some of these from the generated policy. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'scripts/selinux/mdp')
-rw-r--r--scripts/selinux/mdp/mdp.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 6ceb88eb9b59..105c1c31a316 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -35,6 +35,9 @@ struct security_class_mapping {
#include "classmap.h"
#include "initial_sid_to_string.h"
+#include "policycap_names.h"
+
+#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
int main(int argc, char *argv[])
{
@@ -115,6 +118,10 @@ int main(int argc, char *argv[])
}
}
+ /* enable all policy capabilities */
+ for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
+ fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]);
+
/* types, roles, and allows */
fprintf(fout, "type base_t;\n");
fprintf(fout, "role base_r;\n");