On Fri, 2003-08-22 at 10:09, Russell Coker wrote:
  

A modification to PAM could allow the sshd, login, and cron patches to go 
away.

Theodore Ts'o suggested to me that a new PAM call be added to run the shell 
which takes appropriate parameters about user-name etc.  Then a SE Linux 
version of this module could change the security context appropriately, thus 
requiring only one copy of the code to determine the context to use, and not 
requiring any on-going modification to applications.

This design concept sounds really good, and as it's Ted's suggestion I don't 
expect any great resistance to accepting the patch upstream once it's been 
tested and proven to work.

I've been meaning to work on this for almost a year, I might start work next 
week.
    

If you investigate this idea, be sure to work from the new SELinux
patches that use the new SELinux API, not the old one.  Note that the
new SELinux API is better suited to encapsulation within PAM, since the
exec context is now an attribute of the process that can be set prior to
the execve call.  PAM could call setexeccon() when it ordinarily sets
the user's credentials.  This avoids the need to create a new PAM call,
or to alter the execve call itself.

While you may be able to move the setup of the user execution context
into PAM, there are other elements of the SELinux patches as well, such
as the labeling of the tty/pty and the entrypoint check for cron jobs. 
Hence, I suspect that we will still need some kind of patch for
login/sshd/crond, albeit a smaller one.