Skip to content

Commit

Permalink
Allow the sysadm user use the secretmem API
Browse files Browse the repository at this point in the history 
This is a follow-up commit to 41c4218 ("Add support for secretmem
anon inode") which allowed the necessary permission to unconfined
domain types. This commit allows it also for the sysadm_t domain.

Note: Pages allocated with this method can never be swapped out of the
physical memory and the system hibernation is blocked as long as any
file descriptor created with this method exists, so this permission
should be allowed to a very limited set of domains only.

Resolves: rhbz#2270895
  • Loading branch information
@zpytela
zpytela committed Sep 4, 2024
1 parent c4f832a commit c355b9d
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/roles/sysadm.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ kernel_manage_perf_event(sysadm_t)
kernel_prog_run_bpf(sysadm_t)
kernel_read_fs_sysctls(sysadm_t)
kernel_read_all_proc(sysadm_t)
kernel_secretmem_use(sysadm_t)
kernel_unconfined(sysadm_t)

auth_manage_shadow(sysadm_t)
Expand Down

0 comments on commit c355b9d

Please sign in to comment.