From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 28 Nov 2016 18:02:56 +0100
Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the
 sys_admin cap
In-Reply-To: <20161127235012.78adccd6@gentp.lnet>
References: <20161127164146.3773-1-aranea@aixah.de>
	<20161127164146.3773-2-aranea@aixah.de>
	<1480278785.620.4.camel@trentalancia.net>
	<20161127222218.1ae86825@gentp.lnet>
	<1480285881.620.14.camel@trentalancia.net>
	<20161127235012.78adccd6@gentp.lnet>
Message-ID: <1480352576.14631.5.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 27/11/2016 at 23.50 +0100, Luis Ressel wrote:
> On Sun, 27 Nov 2016 23:31:21 +0100
> Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:

[...]

> We've
> added grsec-specific permissions to the refpolicy before, though (for
> example "getty_t self:capability cap_sys_admin" earlier this year).

Thanks for pointing that out ! I have now removed the sys_admin
capability locally from the getty module.

It is not needed. And, there must be something wrong if the patch you
mention forces permissions that are normally unneeded... It seems like
it is forcing the users to weaken the policy, which is not what we
want.

Guido