From: russell@coker.com.au (Russell Coker)
Date: Thu, 27 Apr 2017 02:20:27 +1000
Subject: [refpolicy] [PATCH v2] locallogin: fix the sulogin submodule
	(emergency shell!)
In-Reply-To: <5D3FFC2A-F6BB-4056-AA55-CF89D485F79C@trentalancia.net>
References: <1492802281.4493.1.camel@trentalancia.net>
	<20170426130544.GA3729@julius>
	<5D3FFC2A-F6BB-4056-AA55-CF89D485F79C@trentalancia.net>
Message-ID: <201704270220.27679.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 27 Apr 2017 01:42:31 AM Guido Trentalancia via refpolicy wrote:
> >> @@ -215,7 +215,8 @@ optional_policy(`
> >> 
> >>  # Sulogin local policy
> >>  #
> >> 
> >> -allow sulogin_t self:capability dac_override;
> >> +allow sulogin_t self:capability { dac_override sys_admin
> >
> >sys_tty_config };
> >
> >I suspect that cap_sys_admin can be safely dontaudited
> 
> Yes, I thought the same, but then considering it is a sysadmin shell, I did
> not even check.
> 
> Also, remember we probably still have sys_admin for getty which runs
> unprivileged shells...

http://oss.tresys.com/pipermail/refpolicy/2016-March/007901.html

Above is the list discussion from last time this came up.  If you can get 
sulogin to operate correctly without sys_admin then the next thing to do would 
be to try and get getty to do the same.  As you note getty runs unprivileged 
shells, but also it tends to be run from les secure devices such as serial 
consoles, modems, etc that sulogin will never be run from.

I'm a little surprised at your "considering it is a sysadmin shell" argument 
given that the reason you started working on sulogin policy is that you 
believed that I was giving it excess permissions.  Previously you didn't 
accept my argument that sulogin is permitted to run "bash -c setsebool" etc.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/