From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 12 Sep 2017 19:17:19 -0400
Subject: [refpolicy] [PATCH] getty: Apply auth_use_nsswitch interface
In-Reply-To: <20170912073247.26556-1-aranea@aixah.de>
References: <20170912073247.26556-1-aranea@aixah.de>
Message-ID: <7ced59d5-11b0-922d-ca42-0a74ae6c18c9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/12/2017 03:32 AM, Luis Ressel via refpolicy wrote:
> From: Jason Zaman <jason@perfinion.com>
> 
> agetty looks up the tty group in /etc/groups
> ---
>   policy/modules/system/getty.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index 6d3c4284a..3a7564ab6 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -82,6 +82,7 @@ term_setattr_unallocated_ttys(getty_t)
>   term_setattr_console(getty_t)
>   
>   auth_rw_login_records(getty_t)
> +auth_use_nsswitch(getty_t)

Nsswitch is such a heavy set of permissions.  I'm inclined to simply add 
the needed permissions instead blanketing it with auth_use_nsswitch. 
There's no reason for it ever to go off to one of the other sources for 
the tty group.


-- 
Chris PeBenito