From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 3 Mar 2014 09:07:36 -0500
Subject: [refpolicy] [PATCH] Dontaudit screen asking for the
 sys_tty_config capability
In-Reply-To: <1392560294-4180-1-git-send-email-aranea@aixah.de>
References: <1392560294-4180-1-git-send-email-aranea@aixah.de>
Message-ID: <53148CA8.8070700@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 2/16/2014 9:18 AM, Luis Ressel wrote:
> This avc shows up when using screen as root, however screen seems to
> work fine without that permission.
> ---
>  screen.if | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/screen.if b/screen.if
> index be5cce2..08c8978 100644
> --- a/screen.if
> +++ b/screen.if
> @@ -54,6 +54,8 @@ template(`screen_role_template',`
>  	dontaudit $3 $1_screen_t:unix_stream_socket { read write };
>  	allow $1_screen_t $3:process signal;
>  
> +	dontaudit $1_screen_t self:capability sys_tty_config;
> +
>  	allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
>  	allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
>  	allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com