From: aranea@aixah.de (Luis Ressel) Date: Sat, 5 Mar 2016 17:43:26 +0100 Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability In-Reply-To: <20160305161537.GA30514@meriadoc.perfinion.com> References: <1457057118-4361-1-git-send-email-aranea@aixah.de> <56D98968.30104@tresys.com> <20160305165557.1935e8b9@gentp.lnet> <20160305161537.GA30514@meriadoc.perfinion.com> Message-ID: <20160305174326.476bbcea@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 6 Mar 2016 00:15:37 +0800 Jason Zaman wrote: > We're all agreed that this perm sucks, but if it really is required on > grsec that is justification enough for me to take the patch in gentoo > even if it does not make it into refpolicy. > > If at all possible, I would obviously prefer to have agetty fixed. If > only the first character is eaten that is rather strange so perhaps > there is a real bug. If a fix is not possible then we just fall back > to a distro_gentoo() block. > Have a look at agetty.c, grep for TIOCSTI. It's not a bug, but it looks like bad engineering. They prematurely read a single char, then insert it back into the input stream via TIOCSTI (instead of just remembering it in a temporary buffer). > I have not noticed this on my machine yet, what version of kernel and > agetty causes this? > agetty since at least util-linux version 2.26, in combination with the CONFIG_GRKERNSEC_HARDEN_TTY kernel config (which is a very new grsec feature; it's in hardened-sources-4.4.3, perhaps also in 4.4.2, but not in <=4.3.5). In case you haven't noticed yet, I've opened a gentoo bug for discussion: https://bugs.gentoo.org/show_bug.cgi?id=576522 -- Regards, Luis Ressel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160305/367fb9a4/attachment-0001.bin