From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 4 Apr 2014 16:09:34 -0400 Subject: [refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation In-Reply-To: <1395779408-29213-2-git-send-email-sven.vermeulen@siphos.be> References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be> <1395779408-29213-2-git-send-email-sven.vermeulen@siphos.be> Message-ID: <533F117E.7080902@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/25/2014 04:30 PM, Sven Vermeulen wrote: > When sudo is invoked (sudo -i) the audit log gets quite a lot of denials > related to the getattr permission against tty_device_t:chr_file for the > *_sudo_t domain. However, no additional logging (that would hint at a > need) by sudo, nor any functional issues come up. > > Hence the dontaudit call. Merged. > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/sudo.if | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if > index 0960199..d9114b3 100644 > --- a/policy/modules/admin/sudo.if > +++ b/policy/modules/admin/sudo.if > @@ -110,6 +110,7 @@ template(`sudo_role_template',` > selinux_compute_relabel_context($1_sudo_t) > > term_getattr_pty_fs($1_sudo_t) > + term_dontaudit_getattr_unallocated_ttys($1_sudo_t) > term_relabel_all_ttys($1_sudo_t) > term_relabel_all_ptys($1_sudo_t) > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com