From: aranea@aixah.de (Luis Ressel) Date: Fri, 4 Mar 2016 03:05:18 +0100 Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability Message-ID: <1457057118-4361-1-git-send-email-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com It's required for agetty on kernels with a recent grsecurity patchset. (The denial itself has been showing up for quite some time, but it hasn't had any obvious ill effects until recently.) --- policy/modules/system/getty.te | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index f6743ea..80fec66 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t) # # Use capabilities. -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; +allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid }; dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:fifo_file rw_fifo_file_perms; @@ -102,11 +102,6 @@ ifdef(`distro_gentoo',` sysnet_dns_name_resolve(getty_t) ') -ifdef(`distro_redhat',` - # getty requires sys_admin #209426 - allow getty_t self:capability sys_admin; -') - ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(getty_t) -- 2.7.2