diff options
author | Stephen Smalley <stephen.smalley.work@gmail.com> | 2020-08-06 14:34:18 -0400 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2020-08-17 20:42:00 -0400 |
commit | 339949be25863ac15e24659c2ab4b01185e1234a (patch) | |
tree | de4c7230a954ad27655ba2a8118877eb9c051f63 /scripts/selinux/mdp | |
parent | 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 (diff) | |
download | lwn-339949be25863ac15e24659c2ab4b01185e1234a.tar.gz lwn-339949be25863ac15e24659c2ab4b01185e1234a.zip |
scripts/selinux,selinux: update mdp to enable policy capabilities
Presently mdp does not enable any SELinux policy capabilities
in the dummy policy it generates. Thus, policies derived from
it will by default lack various features commonly used in modern
policies such as open permission, extended socket classes, network
peer controls, etc. Split the policy capability definitions out into
their own headers so that we can include them into mdp without pulling in
other kernel headers and extend mdp generate policycap statements for the
policy capabilities known to the kernel. Policy authors may wish to
selectively remove some of these from the generated policy.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'scripts/selinux/mdp')
-rw-r--r-- | scripts/selinux/mdp/mdp.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 6ceb88eb9b59..105c1c31a316 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -35,6 +35,9 @@ struct security_class_mapping { #include "classmap.h" #include "initial_sid_to_string.h" +#include "policycap_names.h" + +#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) int main(int argc, char *argv[]) { @@ -115,6 +118,10 @@ int main(int argc, char *argv[]) } } + /* enable all policy capabilities */ + for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) + fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]); + /* types, roles, and allows */ fprintf(fout, "type base_t;\n"); fprintf(fout, "role base_r;\n"); |