Currently, when a sudo domain set is created (using sudo_role_template) then this domain does not have dontaudit rules on various device types. As a result, when a sudo invocation is done (for instance "sudo -s postfix reload"), lots of denials show up: type=AVC msg=audit(1431773613.857:1812): avc: denied { getattr } for pid=28934 comm="sudo" path="/dev/vda3" dev="devtmpfs" ino=1294 scontext=mailadm_u:mailadm_r:mailadm_sudo_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 type=AVC msg=audit(1431773613.857:1813): avc: denied { getattr } for pid=28934 comm="sudo" path="/dev/rtc0" dev="devtmpfs" ino=1310 scontext=mailadm_u:mailadm_r:mailadm_sudo_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1431773613.857:1814): avc: denied { getattr } for pid=28934 comm="sudo" path="/dev/network_throughput" dev="devtmpfs" ino=1330 scontext=mailadm_u:mailadm_r:mailadm_sudo_t:s0 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1431773613.857:1815): avc: denied { getattr } for pid=28934 comm="sudo" path="/dev/network_latency" dev="devtmpfs" ino=1329 scontext=mailadm_u:mailadm_r:mailadm_sudo_t:s0 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file permissive=0 The following adds the proper dontaudit rules: dev_dontaudit_getattr_all_blk_files($1_sudo_t) dev_dontaudit_getattr_all_chr_files($1_sudo_t) Reproducible: Always Steps to Reproduce: 1. Create a new SELinux user/role set 2. Create a sudo domain using sudo_role_template 3. Invoke sudo and watch the AVC denials Actual Results: Lots of denials occur, but no harm in operational side (no effects that warrant us allowing the getattr). Expected Results: No denials.
In repo, will be part of rev 6
r6 policy is in ~arch
Now stable