From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 4 Mar 2016 08:11:04 -0500 Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability In-Reply-To: <1457057118-4361-1-git-send-email-aranea@aixah.de> References: <1457057118-4361-1-git-send-email-aranea@aixah.de> Message-ID: <56D98968.30104@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 3/3/2016 9:05 PM, Luis Ressel wrote: > It's required for agetty on kernels with a recent grsecurity patchset. > (The denial itself has been showing up for quite some time, but it > hasn't had any obvious ill effects until recently.) I'm reluctant to add this because it is a significant permission and grsecurity is not commonly used with SELinux, to my knowledge. > --- > policy/modules/system/getty.te | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > > diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te > index f6743ea..80fec66 100644 > --- a/policy/modules/system/getty.te > +++ b/policy/modules/system/getty.te > @@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t) > # > > # Use capabilities. > -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; > +allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid }; > dontaudit getty_t self:capability sys_tty_config; > allow getty_t self:process { getpgid setpgid getsession signal_perms }; > allow getty_t self:fifo_file rw_fifo_file_perms; > @@ -102,11 +102,6 @@ ifdef(`distro_gentoo',` > sysnet_dns_name_resolve(getty_t) > ') > > -ifdef(`distro_redhat',` > - # getty requires sys_admin #209426 > - allow getty_t self:capability sys_admin; > -') > - > ifdef(`distro_ubuntu',` > optional_policy(` > unconfined_domain(getty_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com