1 files changed, 36 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch
new file mode 100644
index 0000000..8f68d66
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch
@@ -0,0 +1,36 @@
+From 1c71d74635c2b39a15c449e75eacae23b3d4f1b8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 30 May 2019 08:30:06 +0800
+Subject: [PATCH] policy/modules/services/rpc: make rpcd_t MLS trusted for
+ reading from files up to its clearance
+Fixes:
+type=AVC msg=audit(1559176077.169:242): avc:  denied  { search } for
+pid=374 comm="rpc.statd" name="journal" dev="tmpfs" ino=9854
+scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
+permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/rpc.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
+index 7c0b37ddc..ef6cb9b63 100644
+--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
+@@ -185,6 +185,8 @@ seutil_dontaudit_search_config(rpcd_t)
+ 
+ userdom_signal_all_users(rpcd_t)
+ 
+mls_file_read_to_clearance(rpcd_t)
+
+ ifdef(`distro_debian',`
+        term_dontaudit_use_unallocated_ttys(rpcd_t)
+ ')
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch new file mode 100644 index 0000000..8f68d66 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch
@@ -0,0 +1,36 @@
	1	From 1c71d74635c2b39a15c449e75eacae23b3d4f1b8 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Thu, 30 May 2019 08:30:06 +0800
	4	Subject: [PATCH] policy/modules/services/rpc: make rpcd_t MLS trusted for
	5	reading from files up to its clearance
	6
	7	Fixes:
	8	type=AVC msg=audit(1559176077.169:242): avc: denied { search } for
	9	pid=374 comm="rpc.statd" name="journal" dev="tmpfs" ino=9854
	10	scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
	11	tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
	12	permissive=0
	13
	14	Upstream-Status: Inappropriate [embedded specific]
	15
	16	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	17	---
	18	policy/modules/services/rpc.te \| 2 ++
	19	1 file changed, 2 insertions(+)
	20
	21	diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
	22	index 7c0b37ddc..ef6cb9b63 100644
	23	--- a/policy/modules/services/rpc.te
	24	+++ b/policy/modules/services/rpc.te
	25	@@ -185,6 +185,8 @@ seutil_dontaudit_search_config(rpcd_t)
	26
	27	userdom_signal_all_users(rpcd_t)
	28
	29	+mls_file_read_to_clearance(rpcd_t)
	30	+
	31	ifdef(`distro_debian',`
	32	term_dontaudit_use_unallocated_ttys(rpcd_t)
	33	')
	34	--
	35	2.17.1
	36