From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 12 Sep 2017 19:17:19 -0400 Subject: [refpolicy] [PATCH] getty: Apply auth_use_nsswitch interface In-Reply-To: <20170912073247.26556-1-aranea@aixah.de> References: <20170912073247.26556-1-aranea@aixah.de> Message-ID: <7ced59d5-11b0-922d-ca42-0a74ae6c18c9@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/12/2017 03:32 AM, Luis Ressel via refpolicy wrote: > From: Jason Zaman > > agetty looks up the tty group in /etc/groups > --- > policy/modules/system/getty.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te > index 6d3c4284a..3a7564ab6 100644 > --- a/policy/modules/system/getty.te > +++ b/policy/modules/system/getty.te > @@ -82,6 +82,7 @@ term_setattr_unallocated_ttys(getty_t) > term_setattr_console(getty_t) > > auth_rw_login_records(getty_t) > +auth_use_nsswitch(getty_t) Nsswitch is such a heavy set of permissions. I'm inclined to simply add the needed permissions instead blanketing it with auth_use_nsswitch. There's no reason for it ever to go off to one of the other sources for the tty group. -- Chris PeBenito