From: Dominick Grift <dac.override@gmail.com>
To: "Sugar, David" <dsugar@tresys.com>,
"selinux-refpolicy@vger.kernel.org"
<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 2/2] pam_faillock creates files in /run/faillock
Date: Sun, 23 Dec 2018 11:46:48 +0100 [thread overview]
Message-ID: <20181223104648.GB20992@brutus.lan> (raw)
In-Reply-To: <20181223102000.GA20992@brutus.lan>
[-- Attachment #1: Type: text/plain, Size: 2662 bytes --]
On Sun, Dec 23, 2018 at 11:20:00AM +0100, Dominick Grift wrote:
> On Sat, Dec 22, 2018 at 02:58:41AM +0000, Sugar, David wrote:
> >
> > On 12/21/18 5:34 AM, Dominick Grift wrote:
> > > On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote:
> > >> These are changes needed when pam_fallock created files in /run/faillock
> > >> (which is labeled faillog_t). sudo and xdm (and probably other domains)
> > >> will create files in this directory for successful and failed logins
> > >> attempts.
> > > The pam stuff has become a bit broken in my view.
> > >
> > > We use to use auth_use_pam() for these kinds of things but the interface was forgotten and not updated properly.
> > >
> > > So for example sudo does not even call auth_use_pam() and a lot of stuff was added directly to the login_pgm domain that should have been added to auth_use_pam() instead.
> > >
> > > My opinion is that this belongs in auth_use_pam()
> >
> > Dominick,
> >
> > I see those interfaces. It looks like xdm_t already uses
> > auth_login_pgm_domain(xdm_t). It also isn't really clear to me what the
> > difference is between auth_login_pgm_domain() and auth_use_pam(). I
> > will make updates moving my change into auth_use_pam() and also update
> > sudo_role_template() to use (I think) auth_login_pgm_domain ().
>
> sudo is not an auth_login_pgm_domain() i believe
>
> the auth_use_pam() is a subset of auth_login_pgm_domain()
>
> so login_pgm domains are pam clients plus extras needed to log in users
>
> a auth_use_pam() (pam client) has a pam stack but it might not actually do logins
>
> sudo uses pam but its not a real login program, so afaik sudo should call auth_use_pam()
> xdm is a login_pgm, so is sshd etc
>
> systemd is also a pam client, but not a login program
And yes systemd needs to be able to create these /run/faillock/USER files as well, but if you test this on RHEL then you wont see it because
RHEL doesnt use /etc/pam.d/systemd-user (i suppose)
so:
1. auth_use_pam() == "pam clients" (programs that have a file in /etc/pam.d), they use pam for authentication of some sort
2, auth_login_pgm_domain() == superset (special pam clients that need permissions to do actual logins)
>
> >
> > I will resubmit this patch,
> >
> > --- snip ---
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2018-12-23 10:53 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-21 1:41 [PATCH 1/2] Allow greeter to start dbus and transition David Sugar
2018-12-21 1:41 ` [PATCH 2/2] pam_faillock creates files in /run/faillock David Sugar
2018-12-21 10:34 ` Dominick Grift
2018-12-22 2:58 ` Sugar, David
2018-12-22 19:20 ` Chris PeBenito
2018-12-23 10:20 ` Dominick Grift
2018-12-23 10:46 ` Dominick Grift [this message]
2018-12-23 16:09 ` Dominick Grift
2018-12-23 16:16 ` Dominick Grift
2018-12-22 19:28 ` [PATCH 1/2] Allow greeter to start dbus and transition Chris PeBenito
2018-12-23 16:33 ` Dominick Grift
2018-12-23 16:45 ` Dominick Grift
2018-12-23 16:52 ` Dominick Grift
2018-12-23 16:55 ` Dominick Grift
2018-12-23 17:02 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181223104648.GB20992@brutus.lan \
--to=dac.override@gmail.com \
--cc=dsugar@tresys.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.