commit: 6f89ead94bb14f55eca319a101c791159faa9739
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar 25 20:30:04 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:20:56 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f89ead9
Hide getattr denials upon sudo invocation
When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.
Hence the dontaudit call.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/admin/sudo.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 4bb2245..07e5db8 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -110,6 +110,7 @@ template(`sudo_role_template',`
selinux_compute_relabel_context($1_sudo_t)
term_getattr_pty_fs($1_sudo_t)
+ term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
