diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2017-05-18 22:58:31 +0200 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2017-05-23 16:23:50 +0200 |
commit | 4dc2fce342f8e5b165e2eda29a39446bb07b2457 (patch) | |
tree | 29e9f11e0be92036b11c47c7cb75d38752e9ebba /security/selinux/include | |
parent | selinux: do not check open permission on sockets (diff) | |
download | linux-4dc2fce342f8e5b165e2eda29a39446bb07b2457.tar.xz linux-4dc2fce342f8e5b165e2eda29a39446bb07b2457.zip |
selinux: log policy capability state when a policy is loaded
Log the state of SELinux policy capabilities when a policy is loaded.
For each policy capability known to the kernel, log the policy capability
name and the value set in the policy. For policy capabilities that are
set in the loaded policy but unknown to the kernel, log the policy
capability index, since this is the only information presently available
in the policy.
Sample output with a policy created with a new capability defined
that is not known to the kernel:
SELinux: policy capability network_peer_controls=1
SELinux: policy capability open_perms=1
SELinux: policy capability extended_socket_class=1
SELinux: policy capability always_check_network=0
SELinux: policy capability cgroup_seclabel=0
SELinux: unknown policy capability 5
Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/32
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/security.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index f979c35e037e..c4224bbf9f4e 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -76,6 +76,8 @@ enum { }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) +extern char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX]; + extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; extern int selinux_policycap_extsockclass; |