[refpolicy] [PATCH] Allow getty the sys_admin capability

All of lore.kernel.org
 help / color / mirror / Atom feed

From: aranea@aixah.de (Luis Ressel)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
Date: Sat, 5 Mar 2016 16:55:57 +0100	[thread overview]
Message-ID: <20160305165557.1935e8b9@gentp.lnet> (raw)
In-Reply-To: <56D98968.30104@tresys.com>

On Fri, 4 Mar 2016 08:11:04 -0500
"Christopher J. PeBenito" <cpebenito@tresys.com> wrote:

> On 3/3/2016 9:05 PM, Luis Ressel wrote:
> > It's required for agetty on kernels with a recent grsecurity
> > patchset. (The denial itself has been showing up for quite some
> > time, but it hasn't had any obvious ill effects until recently.)  
> 
> I'm reluctant to add this because it is a significant permission and
> grsecurity is not commonly used with SELinux, to my knowledge.
> 

The ML seems to have eaten this mail, so I'm resending it. Apologies if
it arrives twice.

agetty already has enough access permissions so that someone who's
hacked it has compromised the system anyway, so CAP_SYS_ADMIN doesn't
really matter in this context.

But I agree that CAP_SYS_ADMIN is a "monster" permission that shouldn't
be handed out unless really neccessary, so I'm fine if we don't add it
to refpolicy.

I'll fix it on the gentoo side, then; either with a distro_gentoo block
in the policy or with an agetty patch.

By the way, most -- if not all -- gentoo users of SELinux use it in
conjunction with grsecurity. That probably doesn't qualify as "common
usage", though. :)

-- 
Regards,
Luis Ressel

next prev parent reply	other threads:[~2016-03-05 15:55 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-04  2:05 [refpolicy] [PATCH] Allow getty the sys_admin capability Luis Ressel
2016-03-04 13:11 ` Christopher J. PeBenito
2016-03-04 15:54   ` Dominick Grift
2016-03-05 12:18     ` Nicolas Iooss
2016-03-05 13:33       ` Jason Zaman
2016-03-05 13:33       ` Dominick Grift
2016-03-05 14:38       ` Luis Ressel
2016-03-07 15:02         ` Christopher J. PeBenito
2016-03-05 15:55   ` Luis Ressel [this message]
2016-03-05 16:15     ` Jason Zaman
2016-03-05 16:43       ` Luis Ressel
2016-03-05 17:11         ` Nicolas Iooss

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160305165557.1935e8b9@gentp.lnet \
    --to=aranea@aixah.de \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.