[refpolicy] [PATCH] Dontaudit screen asking for the sys_tty_config capability

Christopher J. PeBenito cpebenito at tresys.com
Mon Mar 3 09:07:36 EST 2014


On 2/16/2014 9:18 AM, Luis Ressel wrote:
> This avc shows up when using screen as root, however screen seems to
> work fine without that permission.
> ---
>  screen.if | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/screen.if b/screen.if
> index be5cce2..08c8978 100644
> --- a/screen.if
> +++ b/screen.if
> @@ -54,6 +54,8 @@ template(`screen_role_template',`
>  	dontaudit $3 $1_screen_t:unix_stream_socket { read write };
>  	allow $1_screen_t $3:process signal;
>  
> +	dontaudit $1_screen_t self:capability sys_tty_config;
> +
>  	allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
>  	allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
>  	allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list