From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 25 Mar 2014 21:30:04 +0100 Subject: [refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation In-Reply-To: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be> References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1395779408-29213-2-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When sudo is invoked (sudo -i) the audit log gets quite a lot of denials related to the getattr permission against tty_device_t:chr_file for the *_sudo_t domain. However, no additional logging (that would hint at a need) by sudo, nor any functional issues come up. Hence the dontaudit call. Signed-off-by: Sven Vermeulen --- policy/modules/admin/sudo.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 0960199..d9114b3 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -110,6 +110,7 @@ template(`sudo_role_template',` selinux_compute_relabel_context($1_sudo_t) term_getattr_pty_fs($1_sudo_t) + term_dontaudit_getattr_unallocated_ttys($1_sudo_t) term_relabel_all_ttys($1_sudo_t) term_relabel_all_ptys($1_sudo_t) -- 1.8.3.2