From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id ABA0A1582EF for ; Sat, 08 Mar 2025 23:55:09 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 954843408DD for ; Sat, 08 Mar 2025 23:55:09 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id B3F22110370; Sat, 08 Mar 2025 23:55:05 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id A245F110370 for ; Sat, 08 Mar 2025 23:55:05 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3BD9E335D6A for ; Sat, 08 Mar 2025 23:55:05 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9C297280C for ; Sat, 08 Mar 2025 23:55:03 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1741474868.6cba76d3a79495c992b82de5214a9e597a97171a.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/userdomain.if X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 6cba76d3a79495c992b82de5214a9e597a97171a X-VCS-Branch: master Date: Sat, 08 Mar 2025 23:55:03 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 28c931ac-0d4d-4100-8802-f73dfad055c5 X-Archives-Hash: ac283b5e56bf0fbe2bf8041487d94313 commit: 6cba76d3a79495c992b82de5214a9e597a97171a Author: Tianjia Zhang linux alibaba com> AuthorDate: Thu Jan 16 02:38:28 2025 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Mar 8 23:01:08 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6cba76d3 userdomain: allow grant mac_admin capability to security admin cap_mac_admin is required to operate some LSM modules, such as selinux, apparmor, smack, etc. It is necessary to allow the security administrator role to grant this capability. Signed-off-by: Tianjia Zhang linux.alibaba.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/system/userdomain.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index aaa7718e6..2c0aeef5a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1523,6 +1523,7 @@ template(`userdom_admin_user_template',` # interface(`userdom_security_admin_template',` allow $1 self:capability { dac_override dac_read_search }; + allow $1 self:capability2 mac_admin; corecmd_exec_shell($1)