From: dac.override@gmail.com (Dominick Grift) Date: Fri, 4 Mar 2016 16:54:17 +0100 Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability In-Reply-To: <56D98968.30104@tresys.com> References: <1457057118-4361-1-git-send-email-aranea@aixah.de> <56D98968.30104@tresys.com> Message-ID: <56D9AFA9.503@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/04/2016 02:11 PM, Christopher J. PeBenito wrote: > On 3/3/2016 9:05 PM, Luis Ressel wrote: >> It's required for agetty on kernels with a recent grsecurity >> patchset. (The denial itself has been showing up for quite some >> time, but it hasn't had any obvious ill effects until recently.) > > I'm reluctant to add this because it is a significant permission > and grsecurity is not commonly used with SELinux, to my knowledge. > My getty requests this permission as well [1] and i am not using grsecurity. Although, i am not sure if the permission is absolutely needed. (then again I do not believe that it requests it for its health alone) [1] https://github.com/DefenSec/dssp-contrib/blob/master/services/getty/poli cy.cil#L22 > >> --- policy/modules/system/getty.te | 7 +------ 1 file changed, 1 >> insertion(+), 6 deletions(-) >> >> diff --git a/policy/modules/system/getty.te >> b/policy/modules/system/getty.te index f6743ea..80fec66 100644 >> --- a/policy/modules/system/getty.te +++ >> b/policy/modules/system/getty.te @@ -33,7 +33,7 @@ >> files_pid_file(getty_var_run_t) # >> >> # Use capabilities. -allow getty_t self:capability { dac_override >> chown setgid sys_resource sys_tty_config fowner fsetid }; +allow >> getty_t self:capability { dac_override chown setgid sys_admin >> sys_resource sys_tty_config fowner fsetid }; dontaudit getty_t >> self:capability sys_tty_config; allow getty_t self:process { >> getpgid setpgid getsession signal_perms }; allow getty_t >> self:fifo_file rw_fifo_file_perms; @@ -102,11 +102,6 @@ >> ifdef(`distro_gentoo',` sysnet_dns_name_resolve(getty_t) ') >> >> -ifdef(`distro_redhat',` - # getty requires sys_admin #209426 - >> allow getty_t self:capability sys_admin; -') - >> ifdef(`distro_ubuntu',` optional_policy(` >> unconfined_domain(getty_t) >> > > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW2a+lAAoJECV0jlU3+UdpRSkL/jLOg9XKppMb2f2l90pWdtga b9bDSyqUOvifgAEf0C57hfYH/Ji7IrfKI26QTuq7KZPbHs2XzepHDYO6RB1HEZwx t35dEAp5FTV2lqXBdh4AMUSlI3LTO16u+JekQBivPQMEdR4dUFsHY4gcHBpwFtdG t73dZv2IEXhi5LaHxCiwa0UELjntpojmJ6ToZys3h4CIknLINbYyy0A2rDBOBSLc cAxWvXCX40yzNt8MEzXjZ8oL+eNYF8Z+TgGyTpBZPwXR2Y/3I1343GOt0+Lp68As qilss1SokaeGkOaLnPi17BGZTbrrGkwBLiZCWqoGLJ5ZBf5vcZf5k6ifLcmw7BKP z9kxU4+ZiRkMrdMUVbyoH74FcRDH7kF+V7fVBVsFKCwS3hryJLAZz5P4p7za46a8 3UJ8M4gByNOkG03KGuisp+18bF4GUMZWZ39k80IlM+h8mQMg/6CGmc9CdBbXWbF1 zCNsFsOfouin2124mebbWzzN7AqehqzyRK0Jt2NQ/g== =n+Oa -----END PGP SIGNATURE-----