From: aranea@aixah.de (Luis Ressel) Date: Wed, 13 Sep 2017 04:51:40 +0200 Subject: [refpolicy] [PATCH] getty: Apply auth_use_nsswitch interface In-Reply-To: <7ced59d5-11b0-922d-ca42-0a74ae6c18c9@ieee.org> References: <20170912073247.26556-1-aranea@aixah.de> <7ced59d5-11b0-922d-ca42-0a74ae6c18c9@ieee.org> Message-ID: <20170913045051.6419760a@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 12 Sep 2017 19:17:19 -0400 Chris PeBenito via refpolicy wrote: > On 09/12/2017 03:32 AM, Luis Ressel via refpolicy wrote: > > From: Jason Zaman > > > > agetty looks up the tty group in /etc/groups > > --- > > policy/modules/system/getty.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/policy/modules/system/getty.te > > b/policy/modules/system/getty.te index 6d3c4284a..3a7564ab6 100644 > > --- a/policy/modules/system/getty.te > > +++ b/policy/modules/system/getty.te > > @@ -82,6 +82,7 @@ term_setattr_unallocated_ttys(getty_t) > > term_setattr_console(getty_t) > > > > auth_rw_login_records(getty_t) > > +auth_use_nsswitch(getty_t) > > Nsswitch is such a heavy set of permissions. I'm inclined to simply > add the needed permissions instead blanketing it with > auth_use_nsswitch. There's no reason for it ever to go off to one of > the other sources for the tty group. > > Okay, I retract this patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/45fc0d77/attachment.bin