recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

From 7c94b6aa3c679dc201ed5a907f713c0857d8b8ca Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 14 May 2019 15:22:08 +0800
Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search
 for rpcd_t

Fixes:
type=AVC msg=audit(1558592079.931:494): avc:  denied  { dac_read_search }
for  pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t
tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0

Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/rpc.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index c3e37177b..87b6b4561 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -232,7 +232,7 @@ optional_policy(`
 # Local policy
 #
 
-allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin };
 allow rpcd_t self:capability2 block_suspend;
 allow rpcd_t self:process { getcap setcap };
 allow rpcd_t self:fifo_file rw_fifo_file_perms;
-- 
2.17.1