userdomain: allow grant mac_admin capability to security admin

cap_mac_admin is required to operate some LSM modules, such as selinux, apparmor, smack, etc. It is necessary to allow the security administrator role to grant this capability. Signed-off-by: Tianjia Zhang <[email protected]>
cgzones · Jan 16, 2025 · 4e7352b · 4e7352b
1 parent 94d9ea4
commit 4e7352b
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
@@ -1497,6 +1497,7 @@ template(`userdom_admin_user_template',`
 #
 interface(`userdom_security_admin_template',`
 	allow $1 self:capability { dac_override dac_read_search };
+	allow $1 self:capability2 mac_admin;
 
 	corecmd_exec_shell($1)