[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

Tue, 15 Jul 2025 01:12:53 -0700 

commit:     8805f778f132c0aafa48fa461d4c1d4b9bdb8487
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 28 18:06:22 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8805f778

sysadm: allow inheriting fds from systemd

time->Sat Jun 28 14:04:33 2025
type=PROCTITLE msg=audit(1751133873.271:16234): proctitle="-bash"
type=PATH msg=audit(1751133873.271:16234): item=0 
name="/lib64/ld-linux-x86-64.so.2" inode=2864580 dev=00:24 mode=0100755 ouid=0 
ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 
cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1751133873.271:16234): cwd="/root"
type=EXECVE msg=audit(1751133873.271:16234): argc=1 a0="-bash"
type=SYSCALL msg=audit(1751133873.271:16234): arch=c000003e syscall=59 
success=yes exit=0 a0=6a9c1e2d810 a1=7cf16438c8f0 a2=6a9c1e3c260 
a3=7cf16438c960 items=1 ppid=262172 pid=263172 auid=0 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=16 comm="bash" exe="/usr/bin/bash" 
subj=root:sysadm_r:sysadm_t:s0 key=(null)
type=AVC msg=audit(1751133873.271:16234): avc:  denied  { siginh } for  
pid=263172 comm="bash" scontext=system_u:system_r:local_login_t:s0 
tcontext=root:sysadm_r:sysadm_t:s0 tclass=process permissive=0
type=AVC msg=audit(1751133873.271:16234): avc:  denied  { rlimitinh } for  
pid=263172 comm="bash" scontext=system_u:system_r:local_login_t:s0 
tcontext=root:sysadm_r:sysadm_t:s0 tclass=process permissive=0
type=AVC msg=audit(1751133873.271:16234): avc:  denied  { use } for  pid=263172 
comm="bash" path="/dev/tty1" dev="devtmpfs" ino=19 
scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:init_t:s0 
tclass=fd permissive=0
type=AVC msg=audit(1751133873.271:16234): avc:  denied  { use } for  pid=263172 
comm="bash" path="/dev/tty1" dev="devtmpfs" ino=19 
scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:init_t:s0 
tclass=fd permissive=0
type=AVC msg=audit(1751133873.271:16234): avc:  denied  { use } for  pid=263172 
comm="bash" path="/dev/tty1" dev="devtmpfs" ino=19 
scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:init_t:s0 
tclass=fd permissive=0
type=AVC msg=audit(1751133873.271:16234): avc:  denied  { noatsecure } for  
pid=263172 comm="login" scontext=system_u:system_r:local_login_t:s0 
tcontext=root:sysadm_r:sysadm_t:s0 tclass=process permissive=0

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/roles/sysadm.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 906967ff0..74982b8a9 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -91,6 +91,9 @@ ifdef(`init_systemd',`
        init_start_runtime_units(sysadm_t)
        init_stop_runtime_units(sysadm_t)
 
+       # Direct root login on local tty fails without this.
+       init_use_fds(sysadm_t)
+
        # Allow sysadm to resolve the username of dynamic users by calling
        # LookupDynamicUserByUID on org.freedesktop.systemd1.
        init_dbus_chat(sysadm_t)

Reply via email to