From: aranea@aixah.de (Luis Ressel) Date: Sat, 5 Mar 2016 16:55:57 +0100 Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability In-Reply-To: <56D98968.30104@tresys.com> References: <1457057118-4361-1-git-send-email-aranea@aixah.de> <56D98968.30104@tresys.com> Message-ID: <20160305165557.1935e8b9@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 4 Mar 2016 08:11:04 -0500 "Christopher J. PeBenito" wrote: > On 3/3/2016 9:05 PM, Luis Ressel wrote: > > It's required for agetty on kernels with a recent grsecurity > > patchset. (The denial itself has been showing up for quite some > > time, but it hasn't had any obvious ill effects until recently.) > > I'm reluctant to add this because it is a significant permission and > grsecurity is not commonly used with SELinux, to my knowledge. > The ML seems to have eaten this mail, so I'm resending it. Apologies if it arrives twice. agetty already has enough access permissions so that someone who's hacked it has compromised the system anyway, so CAP_SYS_ADMIN doesn't really matter in this context. But I agree that CAP_SYS_ADMIN is a "monster" permission that shouldn't be handed out unless really neccessary, so I'm fine if we don't add it to refpolicy. I'll fix it on the gentoo side, then; either with a distro_gentoo block in the policy or with an agetty patch. By the way, most -- if not all -- gentoo users of SELinux use it in conjunction with grsecurity. That probably doesn't qualify as "common usage", though. :) -- Regards, Luis Ressel