From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 28 Nov 2016 22:57:40 +0100
Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the
 sys_admin cap
In-Reply-To: <20161128224859.013ce4ab@gentp.lnet>
References: <20161127164146.3773-1-aranea@aixah.de>
	<20161127164146.3773-2-aranea@aixah.de>
	<1480278785.620.4.camel@trentalancia.net>
	<20161127222218.1ae86825@gentp.lnet>
	<1480285881.620.14.camel@trentalancia.net>
	<20161127235012.78adccd6@gentp.lnet>
	<1480352576.14631.5.camel@trentalancia.net>
	<20161128224859.013ce4ab@gentp.lnet>
Message-ID: <1480370260.14631.12.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 28/11/2016 at 22.48 +0100, Luis Ressel wrote:
> On Mon, 28 Nov 2016 18:02:56 +0100
> Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
> > 
> > On Sun, 27/11/2016 at 23.50 +0100, Luis Ressel wrote:
> > > 
> > > On Sun, 27 Nov 2016 23:31:21 +0100
> > > Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com>
> > > wrote:??
> > 
> > [...]
> > 
> > > 
> > > We've
> > > added grsec-specific permissions to the refpolicy before, though
> > > (for example "getty_t self:capability cap_sys_admin" earlier this
> > > year).??
> > 
> > Thanks for pointing that out ! I have now removed the sys_admin
> > capability locally from the getty module.
> > 
> > It is not needed. And, there must be something wrong if the patch
> > you
> > mention forces permissions that are normally unneeded... It seems
> > like
> > it is forcing the users to weaken the policy, which is not what we
> > want.
> 
> Well, actually the intent behind this is to *improve* security. The
> grsec folks check the kernel for APIs which allow potentially
> dangerous
> actions without requiring any elevated permissions, and try to secure
> those APIs -- for example by adding a capable() check.

That's really?counterproductive when combined with SELinux !

At the moment, if a malicious version of getty gets into the system, it
is granted sys_admin capability permissions (which includes privileged
and administrative operations).

On the other hand, a normal, tight policy (which does not grant the
unneeded sys_admin permission) would prevent a malicious getty from
carrying out privileged and administrative operations which can damage
the system and/or disrupt its normal operation.

Guido