libsepol: Add always_check_network policy capability

Currently the packet class in SELinux is not checked if there are no SECMARK rules in the security or mangle netfilter tables. Similarly, the peer class is not checked if there is no NetLabel or labeled IPSEC. Some systems prefer that these classes are always checked, for example, to protect the system should the netfilter rules fail to load or if the nefilter rules were maliciously flushed. Add the always_check_network policy capability which, when enabled, treats these mechanisms as enabled, even if there are no labeling rules. Signed-off-by: Chris PeBenito <cpebenito@tresys.com> Signed-off-by: Eric Paris <eparis@redhat.com>
2024-12-04 01:20:52 +00:00 · 2012-06-06 13:27:10 -04:00 · 2012-06-06 13:27:10 -04:00 · 01723ac2ce
commit 01723ac2ce
parent 1f3bca77e0
2 changed files with 2 additions and 0 deletions
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@ -6,6 +6,7 @@ enum {
 	POLICYDB_CAPABILITY_NETPEER,
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
+	POLICYDB_CAPABILITY_ALWAYSNETWORK,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@ -9,6 +9,7 @@ static const char *polcap_names[] = {
 	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
 	"open_perms",			/* POLICYDB_CAPABILITY_OPENPERM */
 	"redhat1",			/* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
+	"always_check_network",		/* POLICYDB_CAPABILITY_ALWAYSNETWORK */
 	NULL
 };