057d72af2d
Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
3.2 KiB
Policy Configuration Statements
mls
Defines whether the policy is built as an MLS or non-MLS policy by the CIL compiler. There MUST only be one mls entry in the policy otherwise the compiler will exit with an error.
Note that this can be over-ridden by the CIL compiler command line parameter -M true|false or --mls true|false flags.
Statement definition:
(mls boolean)
Where:
|
The |
|
Set to either |
Example:
(mls true)
handleunknown
Defines how the kernel will handle unknown object classes and permissions when loading the policy. There MUST only be one handleunknown entry in the policy otherwise the compiler will exit with an error.
Note that this can be over-ridden by the CIL compiler command line parameter -U or --handle-unknown flags.
Statement definition:
(handleunknown action)
Where:
|
The |
|
A keyword of either
|
Example:
This will allow unknown classes / permissions to be present in the policy:
(handleunknown allow)
policycap
Allow policy capabilities to be enabled via policy. These should be declared in the global namespace and be valid policy capabilities as they are checked against those known in libsepol by the CIL compiler.
Statement definition:
(policycap policycap_id)
Where:
|
The |
|
The |
Example:
These set two valid policy capabilities:
; Enable networking controls.
(policycap network_peer_controls)
; Enable open permission check.
(policycap open_perms)