blob: 07a11ea00aeba80ac6922a33f0246cc4281ca691 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From 93225203c2a3a767cd1319d6620da1fd1f91b25f Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Mon, 28 Jan 2019 14:05:18 +0800
Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
The two new rules make sysadm_t domain MLS trusted for:
- reading from files at all levels.
- writing to processes up to its clearance(s0-s15).
With default MLS policy, root user would login as sysadm_t:s0 by
default. Most processes will run in sysadm_t:s0 because no
domtrans/rangetrans rules, as a result, even root could not access
high level files/processes.
So with the two new rules, root user could work easier in MLS policy.
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/roles/sysadm.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c08226dc3..4f3207d52 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -48,6 +48,8 @@ logging_watch_all_logs(sysadm_t)
logging_watch_audit_log(sysadm_t)
mls_process_read_all_levels(sysadm_t)
+mls_file_read_all_levels(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
selinux_read_policy(sysadm_t)
--
2.25.1
|
