commit: a69295a3c6b598490e971fe458fbcb64d28f8625
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Fri Mar 4 02:05:18 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a69295a3
Allow getty the sys_admin capability
It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)
policy/modules/system/getty.te | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f6743ea..80fec66 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource
sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_override chown setgid sys_admin
sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
@@ -102,11 +102,6 @@ ifdef(`distro_gentoo',`
sysnet_dns_name_resolve(getty_t)
')
-ifdef(`distro_redhat',`
- # getty requires sys_admin #209426
- allow getty_t self:capability sys_admin;
-')
-
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(getty_t)
