1 files changed, 34 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch
new file mode 100644
index 0000000..074647d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch
@@ -0,0 +1,34 @@
+From fbc8f3140bf6b519bad568fc1d840c9043fc13db Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 14 May 2019 15:22:08 +0800
+Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search
+ for rpcd_t
+Fixes:
+type=AVC msg=audit(1558592079.931:494): avc:  denied  { dac_read_search }
+for  pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t
+tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/rpc.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index 020dbc4ad..c06ff803f 100644
+--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
+@@ -142,7 +142,7 @@ optional_policy(`
+ # Local policy
+ #
+ 
+-allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin };
+ allow rpcd_t self:capability2 block_suspend;
+ allow rpcd_t self:process { getcap setcap };
+ allow rpcd_t self:fifo_file rw_fifo_file_perms;
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch new file mode 100644 index 0000000..074647d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch
@@ -0,0 +1,34 @@
	1	From fbc8f3140bf6b519bad568fc1d840c9043fc13db Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Tue, 14 May 2019 15:22:08 +0800
	4	Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search
	5	for rpcd_t
	6
	7	Fixes:
	8	type=AVC msg=audit(1558592079.931:494): avc: denied { dac_read_search }
	9	for pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t
	10	tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0
	11
	12	Upstream-Status: Inappropriate [embedded specific]
	13
	14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	15	---
	16	policy/modules/services/rpc.te \| 2 +-
	17	1 file changed, 1 insertion(+), 1 deletion(-)
	18
	19	diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
	20	index 020dbc4ad..c06ff803f 100644
	21	--- a/policy/modules/services/rpc.te
	22	+++ b/policy/modules/services/rpc.te
	23	@@ -142,7 +142,7 @@ optional_policy(`
	24	# Local policy
	25	#
	26
	27	-allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
	28	+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin };
	29	allow rpcd_t self:capability2 block_suspend;
	30	allow rpcd_t self:process { getcap setcap };
	31	allow rpcd_t self:fifo_file rw_fifo_file_perms;
	32	--
	33	2.17.1
	34