On Thu, Aug 6, 2020 at 2:34 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > Presently mdp does not enable any SELinux policy capabilities > in the dummy policy it generates. Thus, policies derived from > it will by default lack various features commonly used in modern > policies such as open permission, extended socket classes, network > peer controls, etc. Split the policy capability definitions out into > their own headers so that we can include them into mdp without pulling in > other kernel headers and extend mdp generate policycap statements for the > policy capabilities known to the kernel. Policy authors may wish to > selectively remove some of these from the generated policy. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > --- > scripts/selinux/mdp/mdp.c | 7 +++++++ > security/selinux/include/policycap.h | 20 ++++++++++++++++++++ > security/selinux/include/policycap_names.h | 18 ++++++++++++++++++ > security/selinux/include/security.h | 16 +--------------- > security/selinux/ss/services.c | 12 +----------- > 5 files changed, 47 insertions(+), 26 deletions(-) > create mode 100644 security/selinux/include/policycap.h > create mode 100644 security/selinux/include/policycap_names.h Seems reasonable to me, but obviously needs to wait until the merge window closes. -- paul moore www.paul-moore.com
