From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
Date: Sat, 5 Mar 2016 14:33:55 +0100 [thread overview]
Message-ID: <56DAE043.2030002@gmail.com> (raw)
In-Reply-To: <56DACE7F.7090502@m4x.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/05/2016 01:18 PM, Nicolas Iooss wrote:
> On 03/04/2016 04:54 PM, Dominick Grift wrote:
>> On 03/04/2016 02:11 PM, Christopher J. PeBenito wrote:
>>> On 3/3/2016 9:05 PM, Luis Ressel wrote:
>>>> It's required for agetty on kernels with a recent grsecurity
>>>> patchset. (The denial itself has been showing up for quite
>>>> some time, but it hasn't had any obvious ill effects until
>>>> recently.)
>>
>>> I'm reluctant to add this because it is a significant
>>> permission and grsecurity is not commonly used with SELinux, to
>>> my knowledge.
>>
>>
>> My getty requests this permission as well [1] and i am not using
>> grsecurity. Although, i am not sure if the permission is
>> absolutely needed. (then again I do not believe that it requests
>> it for its health alone)
>
> Hello, as I was wondering what was behind agetty requiring
> sys_admin capabilities and what would happen if the access is
> denied, I took a look to its source code. The TIOCSTI ioctl (the
> mechanism which allows injecting characters in a terminal input
> queue) seems to only been used in a function named
> wait_for_term_input [1]. This allows the user input to be seen as
> a "normal input" while wait_for_term_input temporarily configured
> the terminal with ICANON, ECHO... attributes disabled.
>
> If the ioctl(fd, TIOCSTI, buffer + i) call fails (for example
> because sys_admin is not granted by SELinux), this is silently
> ignored. As far as I understand the code, wait_for_term_input
> function is only used at the beginning of the login prompt (the
> characters are echoed to the terminal) and not the password prompt.
> Therefore the user may get the feeling that the first typed
> character has been dropped somewhere. Is that so? Are there other
> annoyances that I missed in my quick analysis?
>
> Anyway, before grsecurity added a test for sys_admin when a process
> uses TIOCSTI ioctl on its own tty, the capability has already been
> granted when distro_redhat is enabled. The comment which is
> associated to this access, "getty requires sys_admin #209426", is
> not clear to me. Where could I find more information about this
> bug report?
>
Seems to be a private bug report
https://bugzilla.redhat.com/show_bug.cgi?id=209426
I personally am of the opinion that we generally should not decide
what a process can and cannot do. If it requests it, and if it is not
a bug then I think it should be allowed.
> Cheers, Nicolas
>
> [1]
> https://git.kernel.org/cgit/utils/util-linux/util-linux.git/tree/term-
utils/agetty.c?h=v2.27.1#n1659
>
>
_______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW2uA/AAoJECV0jlU3+UdpI+AMAI4FKdRYnomRI8MQMvdijRm4
G4K2/sx2iTLV+UlnB06I4J7J6Sfm5kwyjbkMrHH9+t+NoiZLWqCxlTk9q7fN/Ktx
XC0BSPQOltJ+/BN2ohWF8or4VZb2Re9gnqwl0EtOuID9ekFJuwdixFHhFcTGBPMm
4B3W6uR7sSY9cNeNJOZ0pJjciUNktNeupgBV1MDbFyeSG0wNvnAzxeYUoEnE25Sw
HnTBN+/8fk9kGeTSl3ShCxvLhBluOVqQCVmq5ZdnsUGP95uPn1/XUUgy146epXGx
+Mmy7lcEUPviBMhKq5IrUsYbZJoPMZr6Xdd/W5j2J0EUyY21W0lIbDLd4ica5Qsy
sqsd4OCL785BHJFD/eLK2LlPR696aISlCcjpp96+nUbz8M2i8zJzxhSbk/sByeQH
IizWBtfmShq9NegQKQU8HbX3uVSXJ2Eu6w+74WuUnHsCMQvhbT9llNn5bV6FRagS
LkFLjXFmWnuFw3QhcYLZ4HoljUBBupqCtpJhSlOD0w==
=5N+h
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2016-03-05 13:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-04 2:05 [refpolicy] [PATCH] Allow getty the sys_admin capability Luis Ressel
2016-03-04 13:11 ` Christopher J. PeBenito
2016-03-04 15:54 ` Dominick Grift
2016-03-05 12:18 ` Nicolas Iooss
2016-03-05 13:33 ` Jason Zaman
2016-03-05 13:33 ` Dominick Grift [this message]
2016-03-05 14:38 ` Luis Ressel
2016-03-07 15:02 ` Christopher J. PeBenito
2016-03-05 15:55 ` Luis Ressel
2016-03-05 16:15 ` Jason Zaman
2016-03-05 16:43 ` Luis Ressel
2016-03-05 17:11 ` Nicolas Iooss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DAE043.2030002@gmail.com \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.