blob: f4417423e504f0039c7f0904ee8158dd34b49a08 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From b83147aa97fe6f51c997256539dff827e3a44edc Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Mon, 28 Jan 2019 14:05:18 +0800
Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
The two new rules make sysadm_t domain MLS trusted for:
- reading from files at all levels.
- writing to processes up to its clearance(s0-s15).
With default MLS policy, root user would login in as sysadm_t:s0 by
default. Most processes will run in sysadm_t:s0 because no
domtrans/rangetrans rules, as a result, even root could not access
high level files/processes.
So with the two new rules, root user could work easier in MLS policy.
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/roles/sysadm.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index a4abaefe4..aaae73fc3 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t)
mls_process_read_all_levels(sysadm_t)
+mls_file_read_all_levels(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
+
selinux_read_policy(sysadm_t)
ubac_process_exempt(sysadm_t)
--
2.17.1
|
