selinux-refpolicy

mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-30 15:26:32 +00:00

History

Nicolas Iooss 1097ce0e24 sudo: allow using CAP_KILL for SIGWINCH With the following process tree: LABEL UID PID PPID TTY CMD sysadm_u:sysadm_r:sysadm_t root 18146 12404 pts/0 /usr/bin/zsh sysadm_u:sysadm_r:sysadm_sudo_t root 18441 18146 pts/0 sudo -su user sysadm_u:sysadm_r:sysadm_sudo_t root 18443 18441 pts/1 sudo -su user sysadm_u:sysadm_r:sysadm_t user 18444 18443 pts/1 /usr/bin/zsh When the terminal window of the first process is resized, SIGWINCH is forwarded by process 18443, which requests capability CAP_KILL: type=AVC msg=audit(1567881640.754:13839): avc: denied { kill } for pid=18443 comm="sudo" capability=5 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_sudo_t tclass=capability permissive=0 type=SYSCALL msg=audit(1567881640.754:13839): arch=c000003e syscall=62 success=no exit=-1 a0=ffffb7f4 a1=1c a2=ffffffff a3=100 items=0 ppid=18441 pid=18443 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=690 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null) type=PROCTITLE msg=audit(1567881640.754:13839): proctitle=7375646F002D73750075736572 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>		2019-09-14 14:00:58 +02:00
..
flask	Remove incorrect comment about capability2:mac_admin.	2019-03-11 20:49:42 -04:00
modules	sudo: allow using CAP_KILL for SIGWINCH	2019-09-14 14:00:58 +02:00
support	obj_perm_sets.spt: Add xdp_socket to socket_class_set.	2018-10-23 17:18:43 -04:00
constraints	refpolicy: Update for kernel sctp support	2018-03-21 14:14:37 -04:00
context_defaults
global_booleans
global_tunables
mcs	refpolicy: Update for kernel sctp support	2018-03-21 14:14:37 -04:00
mls	Remove unused translate permission in context userspace class.	2018-10-13 13:39:18 -04:00
policy_capabilities
users