On Thu, Aug 6, 2020 at 11:46 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Thu, Aug 6, 2020 at 2:34 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > Presently mdp does not enable any SELinux policy capabilities > > in the dummy policy it generates. Thus, policies derived from > > it will by default lack various features commonly used in modern > > policies such as open permission, extended socket classes, network > > peer controls, etc. Split the policy capability definitions out into > > their own headers so that we can include them into mdp without pulling in > > other kernel headers and extend mdp generate policycap statements for the > > policy capabilities known to the kernel. Policy authors may wish to > > selectively remove some of these from the generated policy. > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > --- > > scripts/selinux/mdp/mdp.c | 7 +++++++ > > security/selinux/include/policycap.h | 20 ++++++++++++++++++++ > > security/selinux/include/policycap_names.h | 18 ++++++++++++++++++ > > security/selinux/include/security.h | 16 +--------------- > > security/selinux/ss/services.c | 12 +----------- > > 5 files changed, 47 insertions(+), 26 deletions(-) > > create mode 100644 security/selinux/include/policycap.h > > create mode 100644 security/selinux/include/policycap_names.h > > Seems reasonable to me, but obviously needs to wait until the merge > window closes. I just merged this into selinux/next, thanks Stephen. -- paul moore www.paul-moore.com
