From c355b9d105730de54e9097e5afdc580d0d501e16 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 2 Sep 2024 16:24:45 +0200 Subject: [PATCH] Allow the sysadm user use the secretmem API This is a follow-up commit to 41c4218e835a0 ("Add support for secretmem anon inode") which allowed the necessary permission to unconfined domain types. This commit allows it also for the sysadm_t domain. Note: Pages allocated with this method can never be swapped out of the physical memory and the system hibernation is blocked as long as any file descriptor created with this method exists, so this permission should be allowed to a very limited set of domains only. Resolves: rhbz#2270895 --- policy/modules/roles/sysadm.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3b5373168c..a5489a8a67 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -28,6 +28,7 @@ kernel_manage_perf_event(sysadm_t) kernel_prog_run_bpf(sysadm_t) kernel_read_fs_sysctls(sysadm_t) kernel_read_all_proc(sysadm_t) +kernel_secretmem_use(sysadm_t) kernel_unconfined(sysadm_t) auth_manage_shadow(sysadm_t)