From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 28 Nov 2016 18:02:56 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <20161127235012.78adccd6@gentp.lnet> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> Message-ID: <1480352576.14631.5.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 27/11/2016 at 23.50 +0100, Luis Ressel wrote: > On Sun, 27 Nov 2016 23:31:21 +0100 > Guido Trentalancia via refpolicy wrote: [...] > We've > added grsec-specific permissions to the refpolicy before, though (for > example "getty_t self:capability cap_sys_admin" earlier this year). Thanks for pointing that out ! I have now removed the sys_admin capability locally from the getty module. It is not needed. And, there must be something wrong if the patch you mention forces permissions that are normally unneeded... It seems like it is forcing the users to weaken the policy, which is not what we want. Guido