From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation
Date: Fri, 4 Apr 2014 16:09:34 -0400 [thread overview]
Message-ID: <533F117E.7080902@tresys.com> (raw)
In-Reply-To: <1395779408-29213-2-git-send-email-sven.vermeulen@siphos.be>
On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
> related to the getattr permission against tty_device_t:chr_file for the
> *_sudo_t domain. However, no additional logging (that would hint at a
> need) by sudo, nor any functional issues come up.
>
> Hence the dontaudit call.
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/admin/sudo.if | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 0960199..d9114b3 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -110,6 +110,7 @@ template(`sudo_role_template',`
> selinux_compute_relabel_context($1_sudo_t)
>
> term_getattr_pty_fs($1_sudo_t)
> + term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
> term_relabel_all_ttys($1_sudo_t)
> term_relabel_all_ptys($1_sudo_t)
>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-04-04 20:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-25 20:30 [refpolicy] [PATCH 0/5] Upstreaming Gentoo policy updates Sven Vermeulen
2014-03-25 20:30 ` [refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation Sven Vermeulen
2014-04-04 20:09 ` Christopher J. PeBenito [this message]
2014-03-25 20:30 ` [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd Sven Vermeulen
2014-04-04 20:07 ` Christopher J. PeBenito
2014-04-09 16:52 ` Sven Vermeulen
2014-04-11 12:57 ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online Sven Vermeulen
2014-04-04 20:09 ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2014-04-04 20:00 ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 5/5] Dontaudit access on security_t file system " Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533F117E.7080902@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.