From: russell@coker.com.au (Russell Coker) Date: Thu, 27 Apr 2017 02:20:27 +1000 Subject: [refpolicy] [PATCH v2] locallogin: fix the sulogin submodule (emergency shell!) In-Reply-To: <5D3FFC2A-F6BB-4056-AA55-CF89D485F79C@trentalancia.net> References: <1492802281.4493.1.camel@trentalancia.net> <20170426130544.GA3729@julius> <5D3FFC2A-F6BB-4056-AA55-CF89D485F79C@trentalancia.net> Message-ID: <201704270220.27679.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 27 Apr 2017 01:42:31 AM Guido Trentalancia via refpolicy wrote: > >> @@ -215,7 +215,8 @@ optional_policy(` > >> > >> # Sulogin local policy > >> # > >> > >> -allow sulogin_t self:capability dac_override; > >> +allow sulogin_t self:capability { dac_override sys_admin > > > >sys_tty_config }; > > > >I suspect that cap_sys_admin can be safely dontaudited > > Yes, I thought the same, but then considering it is a sysadmin shell, I did > not even check. > > Also, remember we probably still have sys_admin for getty which runs > unprivileged shells... http://oss.tresys.com/pipermail/refpolicy/2016-March/007901.html Above is the list discussion from last time this came up. If you can get sulogin to operate correctly without sys_admin then the next thing to do would be to try and get getty to do the same. As you note getty runs unprivileged shells, but also it tends to be run from les secure devices such as serial consoles, modems, etc that sulogin will never be run from. I'm a little surprised at your "considering it is a sysadmin shell" argument given that the reason you started working on sulogin policy is that you believed that I was giving it excess permissions. Previously you didn't accept my argument that sulogin is permitted to run "bash -c setsebool" etc. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/