From: aranea@aixah.de (Luis Ressel) Date: Tue, 29 Nov 2016 00:03:59 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <1480371850.14631.21.camel@trentalancia.net> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> <1480352576.14631.5.camel@trentalancia.net> <20161128224859.013ce4ab@gentp.lnet> <1480370260.14631.12.camel@trentalancia.net> <20161128231432.22c0b1bc@gentp.lnet> <1480371850.14631.21.camel@trentalancia.net> Message-ID: <20161129000359.7c70497f@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 28 Nov 2016 23:24:10 +0100 Guido Trentalancia via refpolicy wrote: > It's very easy !... > > You can create a patch that reverts > commit?7216d000d94342dc347a976a7a6a65f40a2f41cb and then adds an > "ifdef grsecurity" for such sys_admin permission (for getty and/or > kmod). Thanks, I'm perfectly aware of *how* to do this, but I'd like to achieve a broader consensus first (specifically, I'd really like to hear Dominick's and Chris' opinions). Plus, we should first find out if there actually are any other permissions in the refpolicy which pertain to grsec requirements. As I've mentioned, cap_sys_admin may actually be required for agetty even on non-grsec systems (I think Dominick said so, and it used to be granted by distro_redhat, too). And we haven't established yet whether kmod needing cap_sys_admin is grsec-related anyway. Therefore, we might perhaps be left with no grsec-specific permissions at all. :) > Enclosing them in double ifdef should not be necessary. In my opinion, > the former proposal is enough (ifdef grsecurity). Of course double ifdef's wouldn't make much sense. I was merely suggesting that we could use distro_gentoo for this instead of adding a new ifdef variable. Regards, Luis