Allow mpdecision dac_override. Addresses denials such as: avc: denied { dac_override } for comm="mpdecision" capability=1 scontext=u:r:mpdecision:s0 tcontext=u:r:mpdecision:s0 tclass=capability Also auditallow them so that we can track its usage and hopefully eliminate the need for this capability in the future. Change-Id: Ieb617183dadc6e8655d1f808691cdfeeab4a96f3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: a06a056fd08bc13212a424b58153d85be8ab3d22 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Wed Jun 11 09:23:05 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed Jun 11 12:04:20 2014 -0400
tree: 63fc13edb86858904c4f3bf9375ff8b00ab48cfb
parent: 8b15fef6ee2caf45be4d9360ec29fc4ef3028220 [diff]
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
index c4455da..838836d 100644
--- a/sepolicy/mpdecision.te
+++ b/sepolicy/mpdecision.te

@@ -2,6 +2,10 @@
 type mpdecision, domain;
 type mpdecision_exec, exec_type, file_type;
 
+# DAC overrides
+allow mpdecision self:capability dac_override;
+auditallow mpdecision self:capability dac_override;
+
 # Started by init
 init_daemon_domain(mpdecision)
commit	a06a056fd08bc13212a424b58153d85be8ab3d22	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Wed Jun 11 09:23:05 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed Jun 11 12:04:20 2014 -0400
tree	63fc13edb86858904c4f3bf9375ff8b00ab48cfb
parent	8b15fef6ee2caf45be4d9360ec29fc4ef3028220 [diff]