On 07/19/2014 04:03 AM, dE wrote: > I came cross this term and couldn't find much reference to it. A mechanism for telling the kernel that your policy supports some new feature/capability and therefore it is safe for the kernel to enable the corresponding check/logic. Used as a way of supporting new checks/features in a backward-compatible manner: old policies will not have defined the policy capability for the new feature and therefore will not enable the new check/logic by default, while new policies can opt into or out of the new check/logic at their discretion. ls /sys/fs/selinux/policy_capabilities will show the list of policy capabilities known to your kernel, while cat /sys/fs/selinux/policy_capabilities/<capability_name> will show whether that capability was enabled (1) or disabled (0) in the currently loaded policy. seinfo --polcap will list enabled policy capabilities in the current or specified policy. The set of policy capabilities to be enabled in the policy is declared in refpolicy/policy/policy_capabilities in the refpolicy source. The kernel uses the value of specific policy capabilities to decide whether to enable corresponding checks/logic in security/selinux/hooks.c in the kernel source; look for tests of selinux_policycap_*. These variables are set upon policy load by security_load_policycaps(), loaded from a bitmap read from the policy file. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
