From a06a056fd08bc13212a424b58153d85be8ab3d22 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 11 Jun 2014 09:23:05 -0400
Subject: Allow mpdecision dac_override.

Addresses denials such as:
avc: denied { dac_override } for comm="mpdecision" capability=1 scontext=u:r:mpdecision:s0 tcontext=u:r:mpdecision:s0 tclass=capability

Also auditallow them so that we can track its usage and hopefully
eliminate the need for this capability in the future.

Change-Id: Ieb617183dadc6e8655d1f808691cdfeeab4a96f3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 sepolicy/mpdecision.te | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'sepolicy')

diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
index c4455da..838836d 100644
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@@ -2,6 +2,10 @@
 type mpdecision, domain;
 type mpdecision_exec, exec_type, file_type;
 
+# DAC overrides
+allow mpdecision self:capability dac_override;
+auditallow mpdecision self:capability dac_override;
+
 # Started by init
 init_daemon_domain(mpdecision)
 
-- 
cgit v1.2.3