mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-03-30 15:26:32 +00:00
c06b3d6dd0
When /etc/sudoers contains "Defaults use_pty", sudo creates a new
pseudo-pty when running a command. This is currently denied from
a sysadm_u session:
type=AVC msg=audit(1567807315.843:13300): avc: denied { read write
} for pid=5053 comm="sudo" name="ptmx" dev="devtmpfs" ino=1108
scontext=sysadm_u:sysadm_r:sysadm_sudo_t
tcontext=system_u:object_r:ptmx_t tclass=chr_file permissive=0
As it seems logical for the newly-created pty to be labeled
user_devpts_t, use userdom_create_user_pty() to allow this.
Then, a new denial appears:
type=AVC msg=audit(1567808670.441:13341): avc: denied { setattr }
for pid=30256 comm="sudo" name="9" dev="devpts" ino=12
scontext=sysadm_u:sysadm_r:sysadm_sudo_t
tcontext=sysadm_u:object_r:user_devpts_t tclass=chr_file
permissive=0
type=SYSCALL msg=audit(1567808670.441:13341): arch=c000003e
syscall=92 success=no exit=-13 a0=563c5aac5f80 a1=0 a2=5
a3=fffffffffffff874 items=0 ppid=20934 pid=30256 auid=1000 uid=0
gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000
tty=pts4 ses=687 comm="sudo" exe="/usr/bin/sudo"
subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)
On x86-64, syscall 92 is chown(). Allow this access with
userdom_setattr_user_ptys().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||
|---|---|---|
| .. | ||
| flask | ||
| modules | ||
| support | ||
| constraints | ||
| context_defaults | ||
| global_booleans | ||
| global_tunables | ||
| mcs | ||
| mls | ||
| policy_capabilities | ||
| users | ||