commit: 6cba76d3a79495c992b82de5214a9e597a97171a
Author: Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Thu Jan 16 02:38:28 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar 8 23:01:08 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6cba76d3
userdomain: allow grant mac_admin capability to security admin
cap_mac_admin is required to operate some LSM modules, such as
selinux, apparmor, smack, etc. It is necessary to allow the security
administrator role to grant this capability.
Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/userdomain.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index aaa7718e6..2c0aeef5a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1523,6 +1523,7 @@ template(`userdom_admin_user_template',`
#
interface(`userdom_security_admin_template',`
allow $1 self:capability { dac_override dac_read_search };
+ allow $1 self:capability2 mac_admin;
corecmd_exec_shell($1)
