path: root/policy/policy_capabilities

#
# This file contains the policy capabilites
# that are enabled in this policy, not a
# declaration of DAC capabilites such as
# dac_override.
#
# The affected object classes and their
# permissions should also be listed in
# the comments for each capability.
#

# Enable additional networking access control for
# labeled networking peers.
#
# Checks enabled:
# node: sendto recvfrom
# netif: ingress egress
# peer: recv
#
policycap network_peer_controls;

# Enable additional access controls for opening
# a file (and similar objects).
#
# Checks enabled:
# dir: open
# file: open
# fifo_file: open
# sock_file: open
# chr_file: open
# blk_file: open
#
policycap open_perms;

# Always enforce network access controls, even
# if labeling is not configured for them.
# Available in kernel 3.13+
#
# Checks enabled:
# packet: send recv
# peer: recv
#
# policycap always_check_network;

# Enable separate security classes for
# all network address families previously
# mapped to the socket class and for
# ICMP and SCTP sockets previously mapped
# to the rawip_socket class.
#
# Classes enabled:
# sctp_socket
# icmp_socket
# ax25_socket
# ipx_socket
# netrom_socket
# atmpvc_socket
# x25_socket
# rose_socket
# decnet_socket
# atmsvc_socket
# rds_socket
# irda_socket
# pppox_socket
# llc_socket
# can_socket
# tipc_socket
# bluetooth_socket
# iucv_socket
# rxrpc_socket
# isdn_socket
# phonet_socket
# ieee802154_socket
# caif_socket
# alg_socket
# nfc_socket
# vsock_socket
# kcm_socket
# qipcrtr_socket
# smc_socket
#
# Available in kernel 4.11+.
# Requires libsepol 2.7+ to build policy with this enabled.
#
policycap extended_socket_class;

# Enable fine-grained labeling of cgroup and cgroup2 filesystems.
# Requires Linux v4.11 and later.
#
# Added checks:
# (none)
policycap cgroup_seclabel;

# Enable NoNewPrivileges support.  Requires libsepol 2.7+
# and kernel 4.14.
#
# Checks enabled;
# process2: nnp_transition, nosuid_transition
#
policycap nnp_nosuid_transition;