30 lines
1.7 KiB
Diff
30 lines
1.7 KiB
Diff
From f5d181f909dc380ede72219ede558ed4052c143f Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Mon, 10 Oct 2022 16:47:39 +0200
|
|
Subject: [PATCH] Allow vlock search the contents of the /dev/pts directory
|
|
|
|
Addresses the following AVC denial:
|
|
|
|
type=PROCTITLE msg=audit(08/31/2022 09:28:27.751:867) : proctitle=vlock
|
|
type=PATH msg=audit(08/31/2022 09:28:27.751:867) : item=0 name=/dev/pts/1 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
|
type=SYSCALL msg=audit(08/31/2022 09:28:27.751:867) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55b5ce6f0b60 a1=0x7ffdd6518320 a2=0x7ffdd6518320 a3=0x0 items=1 ppid=9040 pid=12550 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=17 comm=vlock exe=/usr/bin/vlock subj=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 key=(null)
|
|
type=AVC msg=audit(08/31/2022 09:28:27.751:867) : avc: denied { search } for pid=12550 comm=vlock name=/ dev="devpts" ino=1 scontext=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
|
|
|
|
Resolves: rhbz#2122838
|
|
---
|
|
policy/modules/contrib/vlock.te | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
|
|
index de409cc610..418f2f7ab5 100644
|
|
--- a/policy/modules/contrib/vlock.te
|
|
+++ b/policy/modules/contrib/vlock.te
|
|
@@ -40,5 +40,7 @@ init_dontaudit_rw_utmp(vlock_t)
|
|
|
|
logging_send_syslog_msg(vlock_t)
|
|
|
|
+term_search_ptys(vlock_t)
|
|
+
|
|
userdom_dontaudit_search_user_home_dirs(vlock_t)
|
|
userdom_use_inherited_user_terminals(vlock_t)
|