From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 4 Mar 2016 08:11:04 -0500
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
In-Reply-To: <1457057118-4361-1-git-send-email-aranea@aixah.de>
References: <1457057118-4361-1-git-send-email-aranea@aixah.de>
Message-ID: <56D98968.30104@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 3/3/2016 9:05 PM, Luis Ressel wrote:
> It's required for agetty on kernels with a recent grsecurity patchset.
> (The denial itself has been showing up for quite some time, but it
> hasn't had any obvious ill effects until recently.)

I'm reluctant to add this because it is a significant permission and
grsecurity is not commonly used with SELinux, to my knowledge.


> ---
>  policy/modules/system/getty.te | 7 +------
>  1 file changed, 1 insertion(+), 6 deletions(-)
> 
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index f6743ea..80fec66 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
>  #
>  
>  # Use capabilities.
> -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
> +allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid };
>  dontaudit getty_t self:capability sys_tty_config;
>  allow getty_t self:process { getpgid setpgid getsession signal_perms };
>  allow getty_t self:fifo_file rw_fifo_file_perms;
> @@ -102,11 +102,6 @@ ifdef(`distro_gentoo',`
>  	sysnet_dns_name_resolve(getty_t)
>  ')
>  
> -ifdef(`distro_redhat',`
> -	# getty requires sys_admin #209426
> -	allow getty_t self:capability sys_admin;
> -')
> -
>  ifdef(`distro_ubuntu',`
>  	optional_policy(`
>  		unconfined_domain(getty_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com