diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..86317b3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From ef2b9196f3a51745a3644489d316bda7cd67f72d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
| 3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 | ||
| 4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance | ||
| 5 | |||
| 6 | The two new rules make sysadm_t domain MLS trusted for: | ||
| 7 | - reading from files at all levels. | ||
| 8 | - writing to processes up to its clearance(s0-s15). | ||
| 9 | |||
| 10 | With default MLS policy, root user would login in as sysadm_t:s0 by | ||
| 11 | default. Most processes will run in sysadm_t:s0 because no | ||
| 12 | domtrans/rangetrans rules, as a result, even root could not access | ||
| 13 | high level files/processes. | ||
| 14 | |||
| 15 | So with the two new rules, root user could work easier in MLS policy. | ||
| 16 | |||
| 17 | Upstream-Status: Inappropriate [embedded specific] | ||
| 18 | |||
| 19 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
| 20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 21 | --- | ||
| 22 | policy/modules/roles/sysadm.te | 2 ++ | ||
| 23 | 1 file changed, 2 insertions(+) | ||
| 24 | |||
| 25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
| 26 | index e1933a5bd..0682ed31a 100644 | ||
| 27 | --- a/policy/modules/roles/sysadm.te | ||
| 28 | +++ b/policy/modules/roles/sysadm.te | ||
| 29 | @@ -44,6 +44,8 @@ logging_watch_all_logs(sysadm_t) | ||
| 30 | logging_watch_audit_log(sysadm_t) | ||
| 31 | |||
| 32 | mls_process_read_all_levels(sysadm_t) | ||
| 33 | +mls_file_read_all_levels(sysadm_t) | ||
| 34 | +mls_process_write_to_clearance(sysadm_t) | ||
| 35 | |||
| 36 | selinux_read_policy(sysadm_t) | ||
| 37 | |||
| 38 | -- | ||
| 39 | 2.17.1 | ||
| 40 | |||