From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Tue, 29 Nov 2016 07:22:07 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <7e4a1ef4-edeb-e59e-d178-5ac904d28965@ieee.org> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> <1480352576.14631.5.camel@trentalancia.net> <20161128224859.013ce4ab@gentp.lnet> <1480370260.14631.12.camel@trentalancia.net> <20161128231432.22c0b1bc@gentp.lnet> <1480371850.14631.21.camel@trentalancia.net> <20161129000359.7c70497f@gentp.lnet> <7A5E57BD-A02E-4C3F-BC55-62BF20B5D762@trentalancia.net> <7e4a1ef4-edeb-e59e-d178-5ac904d28965@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Nov 29, 2016 at 2:55 AM, Chris PeBenito via refpolicy < refpolicy@oss.tresys.com> wrote: > On 11/28/16 18:16, Guido Trentalancia via refpolicy wrote: > > Hello. > > > > If you revert the getty commit that I mentioned earlier on, you get back > ifdef distro_redhat, so eventually you only need to add the new ifdef > grsecurity. > > > > Finally, as already explained, on a plain system kmod does not need > sys_admin either. > > > > It's something related only to your specific system that requires the > sys_admin capability permission. > > > > Only you can find out whether this is due to grsecurity or other > patches... > > If it turns out to be grsecurity, I'm not eager to add an additional > build option to handle this situation. It seems better fitting for > Gentoo to carry that patch as they support SELinux with grsecurity. By the way, I also maintain (and am using) a grsec+SELinux kernel for Arch Linux, but as Arch Linux is currently unsupported by refpolicy I guess this does not change anything. Anyway, for the agetty use of TIOCSTI, when I analyzed the code back in March [1] I found that forbidding it would only cause agetty to miss one keypress if it went into a pause (with "[press ENTER to login]" message). So I do not have a strong opinion on whether cap_sys_admin would be granted or not to support TIOCSTI on grsec kernels. For the kmod part, I do not have such an issue on my system (grepping kmod_t AVC denials in my audit.log did not show anything relevant) but I guess it depends on the video driver which is used. Regards, Nicolas [1] http://oss.tresys.com/pipermail/refpolicy/2016-March/thread.html , more precisely http://oss.tresys.com/pipermail/refpolicy/2016-March/007880.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161129/a8d3f178/attachment.html