sudo: allow locking user terminals

type=AVC msg=audit(1735002721.326:185363): avc: denied { lock } for pid=2343525 comm="sudo" path="/dev/pts/1" dev="devpts" ino=4 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
0xC0ncord · Dec 24, 2024 · 51982f0 · 51982f0
1 parent b6c39bf
commit 51982f0
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
@@ -149,6 +149,7 @@ template(`sudo_role_template',`
 	userdom_manage_user_tmp_symlinks($1_sudo_t)
 	userdom_setattr_user_ptys($1_sudo_t)
 	userdom_use_user_terminals($1_sudo_t)
+	userdom_lock_user_terminals($1_sudo_t)
 	userdom_dontaudit_rw_user_tmp_pipes($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)