From 2c465410d92e287baadd050b6ed442bb628fd27c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 6 Jan 2016 09:09:36 -0500
Subject: [PATCH] Add neverallow for mac_override capability. It is not used by
 SELinux.

---
 policy/modules/kernel/domain.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 2129e55ab..191d71a1a 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.13.0)
+policy_module(domain, 1.13.1)
 
 ########################################
 #
@@ -35,6 +35,9 @@ attribute set_curr_context;
 # dynamic transition, you should not be using it!!!
 neverallow { domain -set_curr_context } self:process setcurrent;
 
+# No domain needs mac_override as it is unused by SELinux.
+neverallow domain self:capability2 mac_override;
+
 # entrypoint executables
 attribute entry_type;