Allow mpdecision dac_override.
Addresses denials such as:
avc: denied { dac_override } for comm="mpdecision" capability=1 scontext=u:r:mpdecision:s0 tcontext=u:r:mpdecision:s0 tclass=capability
Also auditallow them so that we can track its usage and hopefully
eliminate the need for this capability in the future.
Change-Id: Ieb617183dadc6e8655d1f808691cdfeeab4a96f3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
index c4455da..838836d 100644
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te
@@ -2,6 +2,10 @@
type mpdecision, domain;
type mpdecision_exec, exec_type, file_type;
+# DAC overrides
+allow mpdecision self:capability dac_override;
+auditallow mpdecision self:capability dac_override;
+
# Started by init
init_daemon_domain(mpdecision)