From a7700d9bb76aa789827855b3324d9a1030b28356 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 18 Oct 2021 23:23:51 +0800
Subject: [PATCH] rpc: add dac_read_search capability for rpcd_t

Fixes:
avc: denied { dac_read_search } for pid=473 comm="sm-notify"
capability=2  scontext=system_u:system_r:rpcd_t
tcontext=system_u:system_r:rpcd_t tclass=capability permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/rpc.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 4dae82a1e..355ed844d 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -232,7 +232,7 @@ optional_policy(`
 # Local policy
 #
 
-allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin };
 allow rpcd_t self:capability2 block_suspend;
 allow rpcd_t self:process { getcap setcap };
 allow rpcd_t self:fifo_file rw_fifo_file_perms;