1Policy Configuration Statements 2=============================== 3 4mls 5--- 6 7Defines whether the policy is built as an MLS or non-MLS policy by the CIL compiler. There MUST only be one [`mls`](cil_policy_config_statements.md#mls) entry in the policy otherwise the compiler will exit with an error. 8 9Note that this can be over-ridden by the CIL compiler command line parameter `-M true|false` or `--mls true|false` flags. 10 11**Statement definition:** 12 13```secil 14 (mls boolean) 15``` 16 17**Where:** 18 19<table> 20<colgroup> 21<col width="25%" /> 22<col width="75%" /> 23</colgroup> 24<tbody> 25<tr class="odd"> 26<td align="left"><p><code>mls</code></p></td> 27<td align="left"><p>The <code>mls</code> keyword.</p></td> 28</tr> 29<tr class="even"> 30<td align="left"><p><code>boolean</code></p></td> 31<td align="left"><p>Set to either <code>true</code> or <code>false</code>.</p></td> 32</tr> 33</tbody> 34</table> 35 36**Example:** 37 38```secil 39 (mls true) 40``` 41 42handleunknown 43------------- 44 45Defines how the kernel will handle unknown object classes and permissions when loading the policy. There MUST only be one [`handleunknown`](cil_policy_config_statements.md#handleunknown) entry in the policy otherwise the compiler will exit with an error. 46 47Note that this can be over-ridden by the CIL compiler command line parameter `-U` or `--handle-unknown` flags. 48 49**Statement definition:** 50 51```secil 52 (handleunknown action) 53``` 54 55**Where:** 56 57<table> 58<colgroup> 59<col width="20%" /> 60<col width="80%" /> 61</colgroup> 62<tbody> 63<tr class="odd"> 64<td align="left"><p><code>handleunknown</code></p></td> 65<td align="left"><p>The <code>handleunknown</code> keyword.</p></td> 66</tr> 67<tr class="even"> 68<td align="left"><p><code>action</code></p></td> 69<td align="left"><p>A keyword of either <code>allow</code>, <code>deny</code> or <code>reject</code>. The kernel will handle these keywords as follows:</p> 70<p><code> allow</code> unknown class / permissions. This will set the returned AV with all 1's.</p> 71<p><code> deny</code> unknown class / permissions (the default). This will set the returned AV with all 0's.</p> 72<p><code> reject</code> loading the policy if it does not contain all the object classes / permissions.</p></td> 73</tr> 74</tbody> 75</table> 76 77**Example:** 78 79This will allow unknown classes / permissions to be present in the policy: 80 81```secil 82 (handleunknown allow) 83``` 84 85policycap 86--------- 87 88Allow policy capabilities to be enabled via policy. These should be declared in the global namespace and be valid policy capabilities as they are checked against those known in libsepol by the CIL compiler. 89 90**Statement definition:** 91 92```secil 93 (policycap policycap_id) 94``` 95 96**Where:** 97 98<table> 99<colgroup> 100<col width="25%" /> 101<col width="75%" /> 102</colgroup> 103<tbody> 104<tr class="odd"> 105<td align="left"><p><code>policycap</code></p></td> 106<td align="left"><p>The <code>policycap</code> keyword.</p></td> 107</tr> 108<tr class="even"> 109<td align="left"><p><code>policycap_id</code></p></td> 110<td align="left"><p>The <code>policycap</code> identifier (e.g. <code>open_perms</code>).</p></td> 111</tr> 112</tbody> 113</table> 114 115**Example:** 116 117These set two valid policy capabilities: 118 119```secil 120 ; Enable networking controls. 121 (policycap network_peer_controls) 122 123 ; Enable open permission check. 124 (policycap open_perms) 125``` 126