[Feature Request] - SELinux policy update for getty checkpoint_restore
tg975 opened this issue · comments
tg975 commented
Is your feature request related to a problem? Please describe.
SELinux is denying checkpoint_restore activity.
ausearch -m AVC,USER_AVC -ts today
----
time->Mon Apr 8 07:30:38 2024
type=AVC msg=audit(1712561438.441:202): avc: denied { checkpoint_restore } for pid=2302 comm="agetty" capability=40 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
----
time->Mon Apr 8 07:30:38 2024
type=AVC msg=audit(1712561438.481:203): avc: denied { checkpoint_restore } for pid=2301 comm="agetty" capability=40 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
It is visible in logs as soon as AWS EC2 with AL2003 is started.
Describe the solution you'd like
In fedora-selinux project it has been addressed by adding dontaudit getty_t self:capability2 checkpoint_restore;
in getty policy.
References: