rpc: add dac_read_search capability for rpcd_t

Fixes: avc: denied { dac_read_search } for pid=473 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t tclass=capability permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-10-18 23:23:51 +08:00 · 2021-10-18 23:23:51 +08:00 · a7700d9bb7
commit a7700d9bb7
parent 6a3bba766f
1 changed files with 1 additions and 1 deletions
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@ -232,7 +232,7 @@ optional_policy(`
 # Local policy
 #

-allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin };
 allow rpcd_t self:capability2 block_suspend;
 allow rpcd_t self:process { getcap setcap };
 allow rpcd_t self:fifo_file rw_fifo_file_perms;