commit: 2cec96ddfb5cdb3f78f9a380ab06fa8fdc0478d2
Author: Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Jan 9 08:33:10 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:58 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2cec96dd
usermanage: permit groupadd to read kernel sysctl
When using groupadd, I got some AVC due to groupadd reading
/proc/sys/kernel/cap_last_cap
Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/usermanage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index b5d443dd4..fd2da2ffc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -227,6 +227,8 @@ files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
+kernel_read_kernel_sysctls(groupadd_t)
+
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
