From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 29 Nov 2016 13:53:54 +0100
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability (was Re:
 [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap)
In-Reply-To: <CAJfZ7==gnXKBp9k_CiK5SZNfPDhVmWU_Q44fpX4Hhm_z9yjXKw@mail.gmail.com>
References: <20161127164146.3773-1-aranea@aixah.de>
	<20161127164146.3773-2-aranea@aixah.de>
	<1480278785.620.4.camel@trentalancia.net>
	<20161127222218.1ae86825@gentp.lnet>
	<1480285881.620.14.camel@trentalancia.net>
	<20161127235012.78adccd6@gentp.lnet>
	<1480352576.14631.5.camel@trentalancia.net>
	<20161128224859.013ce4ab@gentp.lnet>
	<1480370260.14631.12.camel@trentalancia.net>
	<20161128231432.22c0b1bc@gentp.lnet>
	<1480371850.14631.21.camel@trentalancia.net>
	<20161129000359.7c70497f@gentp.lnet>
	<7A5E57BD-A02E-4C3F-BC55-62BF20B5D762@trentalancia.net>
	<7e4a1ef4-edeb-e59e-d178-5ac904d28965@ieee.org>
	<CAJfZ7==gnXKBp9k_CiK5SZNfPDhVmWU_Q44fpX4Hhm_z9yjXKw@mail.gmail.com>
Message-ID: <1480424034.3165.8.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Nicolas.

On Tue, 29/11/2016 at 07.22 +0100, Nicolas Iooss wrote:
> On Tue, Nov 29, 2016 at 2:55 AM, Chris PeBenito via refpolicy <refpol
> icy at oss.tresys.com> wrote:
> > On 11/28/16 18:16, Guido Trentalancia via refpolicy wrote:
> > > Hello.
> > >
> > > If you revert the getty commit that I mentioned earlier on, you
> > get back ifdef distro_redhat, so eventually you only need to add
> > the new ifdef grsecurity.
> > >
> > > Finally, as already explained, on a plain system kmod does not
> > need sys_admin either.
> > >
> > > It's something related only to your specific system that requires
> > the sys_admin capability permission.
> > >
> > > Only you can find out whether this is due to grsecurity or other
> > patches...
> > 
> > If it turns out to be grsecurity, I'm not eager to add an
> > additional
> > build option to handle this situation.? It seems better fitting for
> > Gentoo to carry that patch as they support SELinux with grsecurity.
> 
> By the way, I also maintain (and am using) a grsec+SELinux kernel for
> Arch Linux, but as Arch Linux is currently unsupported by refpolicy I
> guess this does not change anything.
> Anyway, for the agetty use of?TIOCSTI, when I analyzed the code back
> in March [1] I found that forbidding it would only cause agetty to
> miss one keypress if it went into a pause (with "[press ENTER to
> login]" message). So I do not have a strong opinion on whether 

I have tested agetty from util-linux version 2.28 (with the non-
standard "-p" option necessary to reproduce the problem) and it does
not suffer from the problem that you describe above (missing one
keypress), although it requires the sys_admin capability permission
(possibly for ioctl()).

So, my opinion is that it is much better to remove the sys_admin
capability permission from the getty module too, because it is
dangerous and it does not provide any practical benefit.

Also, other versions of getty such as mingetty (commonly used on
virtual terminals) do not require the permission.

> cap_sys_admin would be granted or not to support TIOCSTI on grsec
> kernels.
> For the kmod part, I do not have such an issue on my system (grepping
> kmod_t AVC denials in my audit.log did not show anything relevant)
> but I guess it depends on the video driver which is used.
> 
> Regards,
> Nicolas
> 
> [1]?http://oss.tresys.com/pipermail/refpolicy/2016-March/thread.html
> , more precisely http://oss.tresys.com/pipermail/refpolicy/2016-
> March/007880.html

Regards,

Guido