Allow getty the sys_admin capability
It's required for agetty on kernels with a recent grsecurity patchset. (The denial itself has been showing up for quite some time, but it hasn't had any obvious ill effects until recently.)
This commit is contained in:
parent
a2de14b61f
commit
7216d000d9
@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
|
||||
#
|
||||
|
||||
# Use capabilities.
|
||||
allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
|
||||
allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid };
|
||||
dontaudit getty_t self:capability sys_tty_config;
|
||||
allow getty_t self:process { getpgid setpgid getsession signal_perms };
|
||||
allow getty_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -102,11 +102,6 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_dns_name_resolve(getty_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# getty requires sys_admin #209426
|
||||
allow getty_t self:capability sys_admin;
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(getty_t)
|
||||
|
Loading…
Reference in New Issue
Block a user