From: cgzones@googlemail.com (cgzones) Date: Fri, 3 Mar 2017 11:40:47 +0100 Subject: [refpolicy] getty sys_admin access In-Reply-To: <201703031316.57473.russell@coker.com.au> References: <201703031316.57473.russell@coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com There were some discussions already at http://oss.tresys.com/pipermail/refpolicy/2016-December/008831.html and http://oss.tresys.com/pipermail/refpolicy/2016-November/008598.html. I am getting these audits: type=PROCTITLE msg=audit(02/17/17 23:51:57.729:42) : proctitle=/sbin/agetty --noclear tty1 linux type=SYSCALL msg=audit(02/17/17 23:51:57.729:42) : arch=armeb syscall=ioctl per=PER_LINUX_32BIT success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x5457 a2=0x7e8bf69c a3=0x7e8bf6d8 items=0 ppid=1 pid=524 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=agetty exe=/sbin/agetty subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(02/17/17 23:51:57.729:42) : avc: denied { sys_admin } for pid=524 comm=agetty capability=sys_admin scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability permissive=0 which seems to be ioctl(stdin, TIOCSLCKTRMIOS) 2017-03-03 3:16 GMT+01:00 Russell Coker via refpolicy : > Why does getty_t need the sys_admin capability? From looking at capability.h > the only listed use of that capability that seems plausible is "setting up > serial ports". Does getty fail on serial devices if it doesn't have > sys_admin? > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy