Policy Configuration Statements

From SELinux Wiki
Jump to: navigation, search

Policy Configuration Statements

policycap

Policy version 22 introduced the policycap statement to allow new capabilities to be enabled or disabled in the kernel via policy in a backward compatible way. For example policies that are aware of a new capability can enable the functionality, while older policies would continue to use the original functionality. An example is shown in the SELinux Networking Support section using the network_peer_controls capability.

In the 3.14 kernel there are four policy capabilities configured as shown in the SELinux Filesystem section.

The statement definition is:

policycap capability;

Where:

policycap The policycap keyword.
capability A single capability identifier that will be enabled for this policy.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# This statement enables the network_peer_controls policy capability. 
#
policycap network_peer_controls;


Previous
Home
Next