From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 28 Nov 2016 20:55:51 -0500 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <7A5E57BD-A02E-4C3F-BC55-62BF20B5D762@trentalancia.net> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> <1480352576.14631.5.camel@trentalancia.net> <20161128224859.013ce4ab@gentp.lnet> <1480370260.14631.12.camel@trentalancia.net> <20161128231432.22c0b1bc@gentp.lnet> <1480371850.14631.21.camel@trentalancia.net> <20161129000359.7c70497f@gentp.lnet> <7A5E57BD-A02E-4C3F-BC55-62BF20B5D762@trentalancia.net> Message-ID: <7e4a1ef4-edeb-e59e-d178-5ac904d28965@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/28/16 18:16, Guido Trentalancia via refpolicy wrote: > Hello. > > If you revert the getty commit that I mentioned earlier on, you get back ifdef distro_redhat, so eventually you only need to add the new ifdef grsecurity. > > Finally, as already explained, on a plain system kmod does not need sys_admin either. > > It's something related only to your specific system that requires the sys_admin capability permission. > > Only you can find out whether this is due to grsecurity or other patches... If it turns out to be grsecurity, I'm not eager to add an additional build option to handle this situation. It seems better fitting for Gentoo to carry that patch as they support SELinux with grsecurity. > On the 29th novembre 2016 00:03:59 CET, Luis Ressel wrote: >> On Mon, 28 Nov 2016 23:24:10 +0100 >> Guido Trentalancia via refpolicy wrote: >> >>> It's very easy !... >>> >>> You can create a patch that reverts >>> commit 7216d000d94342dc347a976a7a6a65f40a2f41cb and then adds an >>> "ifdef grsecurity" for such sys_admin permission (for getty and/or >>> kmod). >> >> Thanks, I'm perfectly aware of *how* to do this, but I'd like to >> achieve >> a broader consensus first (specifically, I'd really like to hear >> Dominick's and Chris' opinions). >> >> Plus, we should first find out if there actually are any other >> permissions in the refpolicy which pertain to grsec requirements. As >> I've mentioned, cap_sys_admin may actually be required for agetty even >> on non-grsec systems (I think Dominick said so, and it used to be >> granted by distro_redhat, too). And we haven't established yet whether >> kmod needing cap_sys_admin is grsec-related anyway. Therefore, we might >> perhaps be left with no grsec-specific permissions at all. :) >> >>> Enclosing them in double ifdef should not be necessary. In my >> opinion, >>> the former proposal is enough (ifdef grsecurity). >> >> Of course double ifdef's wouldn't make much sense. I was merely >> suggesting that we could use distro_gentoo for this instead of adding a >> new ifdef variable. >> >> Regards, >> Luis > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito