From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 29 Nov 2016 00:16:35 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <20161129000359.7c70497f@gentp.lnet> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> <1480352576.14631.5.camel@trentalancia.net> <20161128224859.013ce4ab@gentp.lnet> <1480370260.14631.12.camel@trentalancia.net> <20161128231432.22c0b1bc@gentp.lnet> <1480371850.14631.21.camel@trentalancia.net> <20161129000359.7c70497f@gentp.lnet> Message-ID: <7A5E57BD-A02E-4C3F-BC55-62BF20B5D762@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. If you revert the getty commit that I mentioned earlier on, you get back ifdef distro_redhat, so eventually you only need to add the new ifdef grsecurity. Finally, as already explained, on a plain system kmod does not need sys_admin either. It's something related only to your specific system that requires the sys_admin capability permission. Only you can find out whether this is due to grsecurity or other patches... I hope it helps... Regards, Guido On the 29th novembre 2016 00:03:59 CET, Luis Ressel wrote: >On Mon, 28 Nov 2016 23:24:10 +0100 >Guido Trentalancia via refpolicy wrote: > >> It's very easy !... >> >> You can create a patch that reverts >> commit?7216d000d94342dc347a976a7a6a65f40a2f41cb and then adds an >> "ifdef grsecurity" for such sys_admin permission (for getty and/or >> kmod). > >Thanks, I'm perfectly aware of *how* to do this, but I'd like to >achieve >a broader consensus first (specifically, I'd really like to hear >Dominick's and Chris' opinions). > >Plus, we should first find out if there actually are any other >permissions in the refpolicy which pertain to grsec requirements. As >I've mentioned, cap_sys_admin may actually be required for agetty even >on non-grsec systems (I think Dominick said so, and it used to be >granted by distro_redhat, too). And we haven't established yet whether >kmod needing cap_sys_admin is grsec-related anyway. Therefore, we might >perhaps be left with no grsec-specific permissions at all. :) > >> Enclosing them in double ifdef should not be necessary. In my >opinion, >> the former proposal is enough (ifdef grsecurity). > >Of course double ifdef's wouldn't make much sense. I was merely >suggesting that we could use distro_gentoo for this instead of adding a >new ifdef variable. > >Regards, >Luis