1 files changed, 40 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
new file mode 100644
index 0000000..07a11ea
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -0,0 +1,40 @@
+From 93225203c2a3a767cd1319d6620da1fd1f91b25f Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Mon, 28 Jan 2019 14:05:18 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
+The two new rules make sysadm_t domain MLS trusted for:
+ - reading from files at all levels.
+ - writing to processes up to its clearance(s0-s15).
+With default MLS policy, root user would login as sysadm_t:s0 by
+default. Most processes will run in sysadm_t:s0 because no
+domtrans/rangetrans rules, as a result, even root could not access
+high level files/processes.
+So with the two new rules, root user could work easier in MLS policy.
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/roles/sysadm.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index c08226dc3..4f3207d52 100644
+--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
+@@ -48,6 +48,8 @@ logging_watch_all_logs(sysadm_t)
+ logging_watch_audit_log(sysadm_t)
+ 
+ mls_process_read_all_levels(sysadm_t)
+mls_file_read_all_levels(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
+ 
+ selinux_read_policy(sysadm_t)
+ 
+-- 
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..07a11ea --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -0,0 +1,40 @@
	1	From 93225203c2a3a767cd1319d6620da1fd1f91b25f Mon Sep 17 00:00:00 2001
	2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
	3	Date: Mon, 28 Jan 2019 14:05:18 +0800
	4	Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
	5
	6	The two new rules make sysadm_t domain MLS trusted for:
	7	- reading from files at all levels.
	8	- writing to processes up to its clearance(s0-s15).
	9
	10	With default MLS policy, root user would login as sysadm_t:s0 by
	11	default. Most processes will run in sysadm_t:s0 because no
	12	domtrans/rangetrans rules, as a result, even root could not access
	13	high level files/processes.
	14
	15	So with the two new rules, root user could work easier in MLS policy.
	16
	17	Upstream-Status: Inappropriate [embedded specific]
	18
	19	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	20	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	21	---
	22	policy/modules/roles/sysadm.te \| 2 ++
	23	1 file changed, 2 insertions(+)
	24
	25	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
	26	index c08226dc3..4f3207d52 100644
	27	--- a/policy/modules/roles/sysadm.te
	28	+++ b/policy/modules/roles/sysadm.te
	29	@@ -48,6 +48,8 @@ logging_watch_all_logs(sysadm_t)
	30	logging_watch_audit_log(sysadm_t)
	31
	32	mls_process_read_all_levels(sysadm_t)
	33	+mls_file_read_all_levels(sysadm_t)
	34	+mls_process_write_to_clearance(sysadm_t)
	35
	36	selinux_read_policy(sysadm_t)
	37
	38	--
	39	2.25.1
	40