When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.
Hence the dontaudit call.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
sudo should be able to getattr on all executables not just
bin_t/sbin_t. Confined executeables run from sudo need this.
sudo_exec_t needs to be marked as exec_type so prelink will work correctly.
sudo semanage should work
Sven Vermeulen
Chris PeBenito
Dominick Grift
Chris PeBenito