libsepol: add support for the new "init" initial SID

Resurrect the naming of the "init" initial SID, as it has been reintroduced in the kernel. Also add the new "userspace_initial_context" policy capability that is used to enable the new semantics for this initial SID. Signed-off-by: Ondrej Mosnacek <[email protected]>
SELinuxProject · Jun 30, 2023 · 02e471f · 02e471f
1 parent 55b75a2
commit 02e471f
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
@@ -15,6 +15,7 @@ enum {
  POLICYDB_CAP_NNP_NOSUID_TRANSITION,
  POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
  POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
+ POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
  __POLICYDB_CAP_MAX
 };
 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)

diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
@@ -20,7 +20,7 @@ static const char * const selinux_sid_to_str[] = {
  NULL,
  "file",
  NULL,
- NULL,
+ "init",
  "any_socket",
  "port",
  "netif",

diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
@@ -14,6 +14,7 @@ static const char * const polcap_names[] = {
  "nnp_nosuid_transition", /* POLICYDB_CAP_NNP_NOSUID_TRANSITION */
  "genfs_seclabel_symlinks", /* POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS */
  "ioctl_skip_cloexec", /* POLICYDB_CAP_IOCTL_SKIP_CLOEXEC */
+ "userspace_initial_context", /* POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT */
  NULL
 };