Support a SELinux overhaul of systemd by adding a policy capability. The systemd patch can be found at https://github.com/systemd/systemd/pull/10023 and has NOT yet been accepted. This is just a rfc to test the water. --- security/selinux/include/security.h | 1 + security/selinux/ss/services.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index ecdd610e6449..2853e462977f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -79,6 +79,7 @@ enum { POLICYDB_CAPABILITY_ALWAYSNETWORK, POLICYDB_CAPABILITY_CGROUPSECLABEL, POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, + POLICYDB_CAPABILITY_SYSTEMD_OVERHAUL, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 55cf42945cba..cb50e187b181 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -73,7 +73,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { "extended_socket_class", "always_check_network", "cgroup_seclabel", - "nnp_nosuid_transition" + "nnp_nosuid_transition", + "systemd_overhaul" }; static struct selinux_ss selinux_ss; -- 2.24.1
