From: aranea@aixah.de (Luis Ressel)
Date: Sat, 5 Mar 2016 16:55:57 +0100
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
In-Reply-To: <56D98968.30104@tresys.com>
References: <1457057118-4361-1-git-send-email-aranea@aixah.de>
	<56D98968.30104@tresys.com>
Message-ID: <20160305165557.1935e8b9@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 4 Mar 2016 08:11:04 -0500
"Christopher J. PeBenito" <cpebenito@tresys.com> wrote:

> On 3/3/2016 9:05 PM, Luis Ressel wrote:
> > It's required for agetty on kernels with a recent grsecurity
> > patchset. (The denial itself has been showing up for quite some
> > time, but it hasn't had any obvious ill effects until recently.)  
> 
> I'm reluctant to add this because it is a significant permission and
> grsecurity is not commonly used with SELinux, to my knowledge.
> 

The ML seems to have eaten this mail, so I'm resending it. Apologies if
it arrives twice.

agetty already has enough access permissions so that someone who's
hacked it has compromised the system anyway, so CAP_SYS_ADMIN doesn't
really matter in this context.

But I agree that CAP_SYS_ADMIN is a "monster" permission that shouldn't
be handed out unless really neccessary, so I'm fine if we don't add it
to refpolicy.

I'll fix it on the gentoo side, then; either with a distro_gentoo block
in the policy or with an agetty patch.

By the way, most -- if not all -- gentoo users of SELinux use it in
conjunction with grsecurity. That probably doesn't qualify as "common
usage", though. :)

-- 
Regards,
Luis Ressel