Message ID | 20200131183900.3507-1-cgzones@googlemail.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | libsepol: add support for new polcap genfs_seclabel_symlinks | expand |
On 1/31/20 1:39 PM, Christian Göttsche wrote: > Add support for new SELinux policy capability genfs_seclabel_symlinks. > With this capability enabled symlinks on kernel filesystems will receive > contexts based on genfscon statements, like directories and files, > and not be restricted to the respective filesystem root sid. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > libsepol/include/sepol/policydb/polcaps.h | 1 + > libsepol/src/polcaps.c | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h > index dc9356a6..40669fb5 100644 > --- a/libsepol/include/sepol/policydb/polcaps.h > +++ b/libsepol/include/sepol/policydb/polcaps.h > @@ -13,6 +13,7 @@ enum { > POLICYDB_CAPABILITY_ALWAYSNETWORK, > POLICYDB_CAPABILITY_CGROUPSECLABEL, > POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, > + POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, > __POLICYDB_CAPABILITY_MAX > }; > #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) > diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c > index b9dc3526..67ed5786 100644 > --- a/libsepol/src/polcaps.c > +++ b/libsepol/src/polcaps.c > @@ -12,6 +12,7 @@ static const char *polcap_names[] = { > "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ > "cgroup_seclabel", /* POLICYDB_CAPABILITY_SECLABEL */ > "nnp_nosuid_transition", /* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */ > + "genfs_seclabel_symlinks", /* POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS */ > NULL > }; > >
On 2/3/20 8:34 AM, Stephen Smalley wrote: > On 1/31/20 1:39 PM, Christian Göttsche wrote: >> Add support for new SELinux policy capability genfs_seclabel_symlinks. >> With this capability enabled symlinks on kernel filesystems will receive >> contexts based on genfscon statements, like directories and files, >> and not be restricted to the respective filesystem root sid. >> >> Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Applied.
diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h index dc9356a6..40669fb5 100644 --- a/libsepol/include/sepol/policydb/polcaps.h +++ b/libsepol/include/sepol/policydb/polcaps.h @@ -13,6 +13,7 @@ enum { POLICYDB_CAPABILITY_ALWAYSNETWORK, POLICYDB_CAPABILITY_CGROUPSECLABEL, POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, + POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c index b9dc3526..67ed5786 100644 --- a/libsepol/src/polcaps.c +++ b/libsepol/src/polcaps.c @@ -12,6 +12,7 @@ static const char *polcap_names[] = { "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ "cgroup_seclabel", /* POLICYDB_CAPABILITY_SECLABEL */ "nnp_nosuid_transition", /* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */ + "genfs_seclabel_symlinks", /* POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS */ NULL };
Add support for new SELinux policy capability genfs_seclabel_symlinks. With this capability enabled symlinks on kernel filesystems will receive contexts based on genfscon statements, like directories and files, and not be restricted to the respective filesystem root sid. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/include/sepol/policydb/polcaps.h | 1 + libsepol/src/polcaps.c | 1 + 2 files changed, 2 insertions(+)