Defines whether the policy is built as an MLS or non-MLS policy by the CIL compiler. There MUST only be one mls
entry in the policy otherwise the compiler will exit with an error.
Note that this can be over-ridden by the CIL compiler command line parameter -M true|false
or --mls true|false
flags.
Statement definition:
(mls boolean)
Where:
Example:
(mls true)
Defines how the kernel will handle unknown object classes and permissions when loading the policy. There MUST only be one handleunknown
entry in the policy otherwise the compiler will exit with an error.
Note that this can be over-ridden by the CIL compiler command line parameter -U
or --handle-unknown
flags.
Statement definition:
(handleunknown action)
Where:
Example:
This will allow unknown classes / permissions to be present in the policy:
(handleunknown allow)
Allow policy capabilities to be enabled via policy. These should be declared in the global namespace and be valid policy capabilities as they are checked against those known in libsepol by the CIL compiler.
Statement definition:
(policycap policycap_id)
Where:
Example:
These set two valid policy capabilities:
; Enable networking controls. (policycap network_peer_controls) ; Enable open permission check. (policycap open_perms)