diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch new file mode 100644 index 0000000..074647d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From fbc8f3140bf6b519bad568fc1d840c9043fc13db Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 14 May 2019 15:22:08 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search | ||
5 | for rpcd_t | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1558592079.931:494): avc: denied { dac_read_search } | ||
9 | for pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t | ||
10 | tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/services/rpc.te | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
20 | index 020dbc4ad..c06ff803f 100644 | ||
21 | --- a/policy/modules/services/rpc.te | ||
22 | +++ b/policy/modules/services/rpc.te | ||
23 | @@ -142,7 +142,7 @@ optional_policy(` | ||
24 | # Local policy | ||
25 | # | ||
26 | |||
27 | -allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin }; | ||
28 | +allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin }; | ||
29 | allow rpcd_t self:capability2 block_suspend; | ||
30 | allow rpcd_t self:process { getcap setcap }; | ||
31 | allow rpcd_t self:fifo_file rw_fifo_file_perms; | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||