[refpolicy] [PATCH] Allow getty the sys_admin capability

[dac.override@gmail.com (Dominick Grift)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/04/2016 02:11 PM, Christopher J. PeBenito wrote:
> On 3/3/2016 9:05 PM, Luis Ressel wrote:
>> It's required for agetty on kernels with a recent grsecurity
>> patchset. (The denial itself has been showing up for quite some
>> time, but it hasn't had any obvious ill effects until recently.)
> 
> I'm reluctant to add this because it is a significant permission
> and grsecurity is not commonly used with SELinux, to my knowledge.
> 

My getty requests this permission as well [1] and i am not using
grsecurity. Although, i am not sure if the permission is absolutely
needed. (then again I do not believe that it requests it for its
health alone)

[1]
https://github.com/DefenSec/dssp-contrib/blob/master/services/getty/poli
cy.cil#L22

> 
>> --- policy/modules/system/getty.te | 7 +------ 1 file changed, 1
>> insertion(+), 6 deletions(-)
>> 
>> diff --git a/policy/modules/system/getty.te
>> b/policy/modules/system/getty.te index f6743ea..80fec66 100644 
>> --- a/policy/modules/system/getty.te +++
>> b/policy/modules/system/getty.te @@ -33,7 +33,7 @@
>> files_pid_file(getty_var_run_t) #
>> 
>> # Use capabilities. -allow getty_t self:capability { dac_override
>> chown setgid sys_resource sys_tty_config fowner fsetid }; +allow
>> getty_t self:capability { dac_override chown setgid sys_admin
>> sys_resource sys_tty_config fowner fsetid }; dontaudit getty_t
>> self:capability sys_tty_config; allow getty_t self:process {
>> getpgid setpgid getsession signal_perms }; allow getty_t
>> self:fifo_file rw_fifo_file_perms; @@ -102,11 +102,6 @@
>> ifdef(`distro_gentoo',` sysnet_dns_name_resolve(getty_t) ')
>> 
>> -ifdef(`distro_redhat',` -	# getty requires sys_admin #209426 -
>> allow getty_t self:capability sys_admin; -') - 
>> ifdef(`distro_ubuntu',` optional_policy(` 
>> unconfined_domain(getty_t)
>> 
> 
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW2a+lAAoJECV0jlU3+UdpRSkL/jLOg9XKppMb2f2l90pWdtga
b9bDSyqUOvifgAEf0C57hfYH/Ji7IrfKI26QTuq7KZPbHs2XzepHDYO6RB1HEZwx
t35dEAp5FTV2lqXBdh4AMUSlI3LTO16u+JekQBivPQMEdR4dUFsHY4gcHBpwFtdG
t73dZv2IEXhi5LaHxCiwa0UELjntpojmJ6ToZys3h4CIknLINbYyy0A2rDBOBSLc
cAxWvXCX40yzNt8MEzXjZ8oL+eNYF8Z+TgGyTpBZPwXR2Y/3I1343GOt0+Lp68As
qilss1SokaeGkOaLnPi17BGZTbrrGkwBLiZCWqoGLJ5ZBf5vcZf5k6ifLcmw7BKP
z9kxU4+ZiRkMrdMUVbyoH74FcRDH7kF+V7fVBVsFKCwS3hryJLAZz5P4p7za46a8
3UJ8M4gByNOkG03KGuisp+18bF4GUMZWZ39k80IlM+h8mQMg/6CGmc9CdBbXWbF1
zCNsFsOfouin2124mebbWzzN7AqehqzyRK0Jt2NQ/g==
=n+Oa
-----END PGP SIGNATURE-----