• Stephen Smalley's avatar
    selinux: log policy capability state when a policy is loaded · 4dc2fce3
    Stephen Smalley authored
    Log the state of SELinux policy capabilities when a policy is loaded.
    For each policy capability known to the kernel, log the policy capability
    name and the value set in the policy.  For policy capabilities that are
    set in the loaded policy but unknown to the kernel, log the policy
    capability index, since this is the only information presently available
    in the policy.
    
    Sample output with a policy created with a new capability defined
    that is not known to the kernel:
    SELinux:  policy capability network_peer_controls=1
    SELinux:  policy capability open_perms=1
    SELinux:  policy capability extended_socket_class=1
    SELinux:  policy capability always_check_network=0
    SELinux:  policy capability cgroup_seclabel=0
    SELinux:  unknown policy capability 5
    
    Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/32Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    4dc2fce3
security.h 8 KB