diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..af7f3ad --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 0404c4ad3f92408edcdbf46ac0665bf09d4b2516 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance | ||
5 | |||
6 | The two new rules make sysadm_t domain MLS trusted for: | ||
7 | - reading from files at all levels. | ||
8 | - writing to processes up to its clearance(s0-s15). | ||
9 | |||
10 | With default MLS policy, root user would login in as sysadm_t:s0 by | ||
11 | default. Most processes will run in sysadm_t:s0 because no | ||
12 | domtrans/rangetrans rules, as a result, even root could not access | ||
13 | high level files/processes. | ||
14 | |||
15 | So with the two new rules, root user could work easier in MLS policy. | ||
16 | |||
17 | Upstream-Status: Inappropriate [embedded specific] | ||
18 | |||
19 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/roles/sysadm.te | 3 +++ | ||
23 | 1 file changed, 3 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
26 | index 07b9faf30..ac5239d83 100644 | ||
27 | --- a/policy/modules/roles/sysadm.te | ||
28 | +++ b/policy/modules/roles/sysadm.te | ||
29 | @@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t) | ||
30 | |||
31 | mls_process_read_all_levels(sysadm_t) | ||
32 | |||
33 | +mls_file_read_all_levels(sysadm_t) | ||
34 | +mls_process_write_to_clearance(sysadm_t) | ||
35 | + | ||
36 | selinux_read_policy(sysadm_t) | ||
37 | |||
38 | ubac_process_exempt(sysadm_t) | ||
39 | -- | ||
40 | 2.17.1 | ||
41 | |||