From: cgzones@googlemail.com (cgzones)
Date: Fri, 3 Mar 2017 11:40:47 +0100
Subject: [refpolicy] getty sys_admin access
In-Reply-To: <201703031316.57473.russell@coker.com.au>
References: <201703031316.57473.russell@coker.com.au>
Message-ID: <CAJ2a_DdoFW=_DX0Apx-xX7iT9waJ5_94GvhTGf3y5dE6iospug@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

There were some discussions already at
http://oss.tresys.com/pipermail/refpolicy/2016-December/008831.html
and http://oss.tresys.com/pipermail/refpolicy/2016-November/008598.html.
I am getting these audits:

type=PROCTITLE msg=audit(02/17/17 23:51:57.729:42) :
proctitle=/sbin/agetty --noclear tty1 linux
type=SYSCALL msg=audit(02/17/17 23:51:57.729:42) : arch=armeb
syscall=ioctl per=PER_LINUX_32BIT success=no exit=EPERM(Operation not
permitted) a0=0x0 a1=0x5457 a2=0x7e8bf69c a3=0x7e8bf6d8 items=0 ppid=1
pid=524 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=agetty
exe=/sbin/agetty subj=system_u:system_r:getty_t:s0 key=(null)
type=AVC msg=audit(02/17/17 23:51:57.729:42) : avc: denied { sys_admin
} for pid=524 comm=agetty capability=sys_admin
scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=capability permissive=0

which seems to be ioctl(stdin, TIOCSLCKTRMIOS)

2017-03-03 3:16 GMT+01:00 Russell Coker via refpolicy
<refpolicy@oss.tresys.com>:
> Why does getty_t need the sys_admin capability?  From looking at capability.h
> the only listed use of that capability that seems plausible is "setting up
> serial ports".  Does getty fail on serial devices if it doesn't have
> sys_admin?
>
> --
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy