From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 28 Nov 2016 23:08:37 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <20161128230320.158d4202@gentp.lnet> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> <1480352576.14631.5.camel@trentalancia.net> <20161128230320.158d4202@gentp.lnet> Message-ID: <1480370917.14631.16.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 28/11/2016 at 23.03 +0100, Luis Ressel wrote: > On Mon, 28 Nov 2016 18:02:56 +0100 > Guido Trentalancia via refpolicy wrote: [...] > I do of course agree that unconditionally adding grsec-specific > permissions to the refpolicy isn't optimal either. > > What are your thoughts about adding a new kernel_grsec ifdef, similar > to our current distro_* ifdef's? It would apply to the getty_t > permission I mentioned earlier, to the kmod_t capability discussed in > this thread (as soon as we've confirmed it is indeed grsec-related), > and to any other grsec-specific permissions we've added in the past > (@Sven, Jason: Do you remember any such permissions?). Yes, that's the way forward. > The vast majority of refpolicy+grsec users are probably gentoo folks, > so we could keep these permissions in ifdef(distro_gentoo) blocks, > too; Enclosing them in double ifdef should not be necessary. In my opinion, the former proposal is enough (ifdef grsecurity). > but I think that wouldn't be ideal. After all, there may well be > other > people using this particular combination; it's not gentoo-specific. I really look forward to seeing the optimized patches ! Regards, Guido