Allow getty the sys_admin capability

It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)
This commit is contained in:
Luis Ressel 2016-03-04 03:05:18 +01:00 committed by Chris PeBenito
parent a2de14b61f
commit 7216d000d9

View File

@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
#
# Use capabilities.
allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
@ -102,11 +102,6 @@ ifdef(`distro_gentoo',`
sysnet_dns_name_resolve(getty_t)
')
ifdef(`distro_redhat',`
# getty requires sys_admin #209426
allow getty_t self:capability sys_admin;
')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(getty_t)