diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..07a11ea --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 93225203c2a3a767cd1319d6620da1fd1f91b25f Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance | ||
5 | |||
6 | The two new rules make sysadm_t domain MLS trusted for: | ||
7 | - reading from files at all levels. | ||
8 | - writing to processes up to its clearance(s0-s15). | ||
9 | |||
10 | With default MLS policy, root user would login as sysadm_t:s0 by | ||
11 | default. Most processes will run in sysadm_t:s0 because no | ||
12 | domtrans/rangetrans rules, as a result, even root could not access | ||
13 | high level files/processes. | ||
14 | |||
15 | So with the two new rules, root user could work easier in MLS policy. | ||
16 | |||
17 | Upstream-Status: Inappropriate [embedded specific] | ||
18 | |||
19 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/roles/sysadm.te | 2 ++ | ||
23 | 1 file changed, 2 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
26 | index c08226dc3..4f3207d52 100644 | ||
27 | --- a/policy/modules/roles/sysadm.te | ||
28 | +++ b/policy/modules/roles/sysadm.te | ||
29 | @@ -48,6 +48,8 @@ logging_watch_all_logs(sysadm_t) | ||
30 | logging_watch_audit_log(sysadm_t) | ||
31 | |||
32 | mls_process_read_all_levels(sysadm_t) | ||
33 | +mls_file_read_all_levels(sysadm_t) | ||
34 | +mls_process_write_to_clearance(sysadm_t) | ||
35 | |||
36 | selinux_read_policy(sysadm_t) | ||
37 | |||
38 | -- | ||
39 | 2.25.1 | ||
40 | |||