; Build an MLS policy. Ensures that we emit the sensitivity tag in ; file_contexts, which makes it compatible as input to `setfiles`. (mls true) ; MLS has concepts of sensitivities and levels that we can ignore ; since we're not writing a true MLS policy. However, they are still ; required arguments in many places, so we need a minimal set. (sensitivity s0) (sensitivityorder (s0)) (sensitivitycategory s0 (range c0 c1023)) (level s0 (s0)) (levelrange s0 (s0 s0)) (level s0-s0 (s0 (range c0 c1023))) (levelrange s0-s0 (s0 s0-s0)) ; The system_r role is used for processes. (role system_r) ; The object_r role is used for files. (role object_r) ; Our system_u user has both roles. (user system_u) (userrole system_u system_r) (userrole system_u object_r) (userlevel system_u s0-s0) (userrange system_u s0-s0) ; Take the context from the target file rather than the source ; process when computing the level for new file objects. We can ; expect the directory where files are created to have the right ; range of categories applied, but the process creating the file ; may be privileged and have the full range or no range at all. (defaultrange files target low-high) ; Enable policy to use consolidated network peer controls. This ; avoids a function call to the compatibility mode helper, and ; will be faster when no network labeling rules are defined. (policycap "network_peer_controls") ; Enable policy to check "open" actions for file classes. (policycap "open_perms") ; Enable policy to use separate socket security classes. (policycap "extended_socket_class") ; Disable policy to force packet checks even if no network labeling ; rules are defined. ; (policycap "always_check_network") ; Enable policy to allow the cgroup filesystem to be labeled. (policycap "cgroup_seclabel") ; Enable policy to allow domain transitions when executing with the ; "no new privs" bit enabled, or when the executable is on a "nosuid" ; filesystem. (policycap "nnp_nosuid_transition") ; Enable policy to label symlinks on kernel file systems using ; "genfscon" statements, as with directories and files. (policycap "genfs_seclabel_symlinks")