1 files changed, 41 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
new file mode 100644
index 0000000..af7f3ad
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -0,0 +1,41 @@
+From 0404c4ad3f92408edcdbf46ac0665bf09d4b2516 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Mon, 28 Jan 2019 14:05:18 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
+The two new rules make sysadm_t domain MLS trusted for:
+ - reading from files at all levels.
+ - writing to processes up to its clearance(s0-s15).
+With default MLS policy, root user would login in as sysadm_t:s0 by
+default. Most processes will run in sysadm_t:s0 because no
+domtrans/rangetrans rules, as a result, even root could not access
+high level files/processes.
+So with the two new rules, root user could work easier in MLS policy.
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/roles/sysadm.te | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 07b9faf30..ac5239d83 100644
+--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
+@@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t)
+ 
+ mls_process_read_all_levels(sysadm_t)
+ 
+mls_file_read_all_levels(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
+
+ selinux_read_policy(sysadm_t)
+ 
+ ubac_process_exempt(sysadm_t)
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..af7f3ad --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch
@@ -0,0 +1,41 @@
	1	From 0404c4ad3f92408edcdbf46ac0665bf09d4b2516 Mon Sep 17 00:00:00 2001
	2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
	3	Date: Mon, 28 Jan 2019 14:05:18 +0800
	4	Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
	5
	6	The two new rules make sysadm_t domain MLS trusted for:
	7	- reading from files at all levels.
	8	- writing to processes up to its clearance(s0-s15).
	9
	10	With default MLS policy, root user would login in as sysadm_t:s0 by
	11	default. Most processes will run in sysadm_t:s0 because no
	12	domtrans/rangetrans rules, as a result, even root could not access
	13	high level files/processes.
	14
	15	So with the two new rules, root user could work easier in MLS policy.
	16
	17	Upstream-Status: Inappropriate [embedded specific]
	18
	19	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	20	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	21	---
	22	policy/modules/roles/sysadm.te \| 3 +++
	23	1 file changed, 3 insertions(+)
	24
	25	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
	26	index 07b9faf30..ac5239d83 100644
	27	--- a/policy/modules/roles/sysadm.te
	28	+++ b/policy/modules/roles/sysadm.te
	29	@@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t)
	30
	31	mls_process_read_all_levels(sysadm_t)
	32
	33	+mls_file_read_all_levels(sysadm_t)
	34	+mls_process_write_to_clearance(sysadm_t)
	35	+
	36	selinux_read_policy(sysadm_t)
	37
	38	ubac_process_exempt(sysadm_t)
	39	--
	40	2.17.1
	41