From: aranea@aixah.de (Luis Ressel)
Date: Fri,  4 Mar 2016 03:05:18 +0100
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
Message-ID: <1457057118-4361-1-git-send-email-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)
---
 policy/modules/system/getty.te | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f6743ea..80fec66 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
 #
 
 # Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid };
 dontaudit getty_t self:capability sys_tty_config;
 allow getty_t self:process { getpgid setpgid getsession signal_perms };
 allow getty_t self:fifo_file rw_fifo_file_perms;
@@ -102,11 +102,6 @@ ifdef(`distro_gentoo',`
 	sysnet_dns_name_resolve(getty_t)
 ')
 
-ifdef(`distro_redhat',`
-	# getty requires sys_admin #209426
-	allow getty_t self:capability sys_admin;
-')
-
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(getty_t)
-- 
2.7.2