Skip to content

Commit

Permalink
Add missing sys_chroot capability to groupadd policy
Browse files Browse the repository at this point in the history 
Just like useradd, groupadd supports chroot operation, but for that
to work it needs the sys_chroot capability, just like the useradd
policy has (see commit 0651cc9).

This is one of the roadblocks in making RPM sysusers feature fully
functional: rpm-software-management/rpm#3227
  • Loading branch information
@pmatilai @zpytela
pmatilai authored and zpytela committed Aug 26, 2024
1 parent ddc9f59 commit eb38a88
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion policy/modules/admin/usermanage.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,7 @@ optional_policy(`
# Groupadd local policy
#

allow groupadd_t self:capability { dac_read_search dac_override chown fowner kill setuid sys_resource audit_write };
allow groupadd_t self:capability { dac_read_search dac_override chown fowner kill setuid sys_resource sys_chroot audit_write };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
Expand Down

0 comments on commit eb38a88

Please sign in to comment.