pam_selinux when selinux is disabled

pam_selinux when selinux is disabled

[Luke Kenneth Casson Leighton]

does anyone know what happens when selinux is disabled and pam_selinux
is being used [by login, ssh, kdm, whatever]?

l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_selinux when selinux is disabled

[Stephen Smalley]

On Tue, 2004-12-28 at 15:20, Luke Kenneth Casson Leighton wrote:
> does anyone know what happens when selinux is disabled and pam_selinux
> is being used [by login, ssh, kdm, whatever]?

I believe that pam_selinux checks is_selinux_enabled() and bails
immediately with PAM_SUCCESS if SELinux is not enabled; check the
current pam_selinux module in the recently opened Fedora Core public CVS
tree (see http://cvs.fedora.redhat.com/core.shtml).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_selinux when selinux is disabled

[Stephen Smalley]

On Tue, 2004-12-28 at 15:15, Stephen Smalley wrote:
> On Tue, 2004-12-28 at 15:20, Luke Kenneth Casson Leighton wrote:
> > does anyone know what happens when selinux is disabled and pam_selinux
> > is being used [by login, ssh, kdm, whatever]?
> 
> I believe that pam_selinux checks is_selinux_enabled() and bails
> immediately with PAM_SUCCESS if SELinux is not enabled; check the
> current pam_selinux module in the recently opened Fedora Core public CVS
> tree (see http://cvs.fedora.redhat.com/core.shtml).

BTW, sshd is no longer using pam_selinux; we had to go back to a direct
patch due to changes in the upstream sshd.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_selinux when selinux is disabled

[Jaspreet Singh]

Hi,

On Tue, 2004-12-28 at 15:27 -0500, Stephen Smalley wrote:
> BTW, sshd is no longer using pam_selinux; we had to go back to a direct
> patch due to changes in the upstream sshd.

I am not storing my username/password in standard /etc/passwd  but in
different files/DB.. so i have personalized getpwnam by
editing /etc/nsswitch.conf

thats works fine.

when you define users in a policy .. it calls python getpwnam and adds
user to selinux user db. So I guess even that is fine.

now .. the question is when login sets selinux context for a user which
system call it makes to get user identification and which system call it
uses to set the context.

If sshd is not relying on pam_selinux than .. is all this hard-coded in
sshd ???

Please clarify it.
Jaspreet.

-- 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_selinux when selinux is disabled

[Daniel J Walsh]

Jaspreet Singh wrote:

>Hi,
>
>On Tue, 2004-12-28 at 15:27 -0500, Stephen Smalley wrote:
>  
>
>>BTW, sshd is no longer using pam_selinux; we had to go back to a direct
>>patch due to changes in the upstream sshd.
>>    
>>
>
>I am not storing my username/password in standard /etc/passwd  but in
>different files/DB.. so i have personalized getpwnam by
>editing /etc/nsswitch.conf
>
>thats works fine.
>
>when you define users in a policy .. it calls python getpwnam and adds
>user to selinux user db. So I guess even that is fine.
>
>now .. the question is when login sets selinux context for a user which
>system call it makes to get user identification and which system call it
>uses to set the context.
>
>If sshd is not relying on pam_selinux than .. is all this hard-coded in
>sshd ???
>
>Please clarify it.
>Jaspreet.
>
>  
>
All code is using getpwnam type calls, so it should work fine.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.