[SELinux-notebook] lsm_selinux: document genfs_seclabel_symlinks policy capability

Commit Message

Dominick Grift July 20, 2020, 2:50 p.m. UTC

This was added with Linux 5.7 and SELinux 3.1

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 src/lsm_selinux.md | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Stephen Smalley July 21, 2020, 7:38 p.m. UTC | #1

On Mon, Jul 20, 2020 at 10:53 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> This was added with Linux 5.7 and SELinux 3.1
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
>  src/lsm_selinux.md | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md
> index a400c36..8e6f3ad 100644
> --- a/src/lsm_selinux.md
> +++ b/src/lsm_selinux.md
> @@ -676,6 +676,11 @@ interface, it is not recommended - use the **libselinux** or **libsepol** librar
>  <td>Enables the use of separate socket security classes for all network address families rather than the generic socket class.</td>
>  </tr>
>  <tr>
> +<td>genfs_seclabel_symlinks</td>
> +<td>-r--r--r--</td>
> +<td>Symlinks on kernel filesystems will receive contexts based on genfscon statements like directories and files.</td>
> +</tr>
> +<tr>

Maybe "Enables fine-grained labeling of symlinks in pseudo filesystems
based on genfscon rules."

Patch

diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md
index a400c36..8e6f3ad 100644
--- a/src/lsm_selinux.md
+++ b/src/lsm_selinux.md
@@ -676,6 +676,11 @@  interface, it is not recommended - use the **libselinux** or **libsepol** librar
 <td>Enables the use of separate socket security classes for all network address families rather than the generic socket class.</td>
 </tr>
 <tr>
+<td>genfs_seclabel_symlinks</td>
+<td>-r--r--r--</td>
+<td>Symlinks on kernel filesystems will receive contexts based on genfscon statements like directories and files.</td>
+</tr>
+<tr>
 <td>network_peer_controls</td>
 <td>-r--r--r--</td>
 <td><p>If true the following network_peer_controls are enabled:</p>