From 4e7352b61fb83b26a716f3ac5b9398aea30e79d7 Mon Sep 17 00:00:00 2001
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date: Thu, 16 Jan 2025 10:38:28 +0800
Subject: [PATCH] userdomain: allow grant mac_admin capability to security
 admin

cap_mac_admin is required to operate some LSM modules, such as
selinux, apparmor, smack, etc. It is necessary to allow the security
administrator role to grant this capability.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 447ca76c5f..677bad4809 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1497,6 +1497,7 @@ template(`userdom_admin_user_template',`
 #
 interface(`userdom_security_admin_template',`
 	allow $1 self:capability { dac_override dac_read_search };
+	allow $1 self:capability2 mac_admin;
 
 	corecmd_exec_shell($1)