* login roles
@ 2004-01-27 5:07 Timothy Wood
2004-01-28 15:02 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Timothy Wood @ 2004-01-27 5:07 UTC (permalink / raw)
To: SELinux Mail List
I set the pam_selinux module to multiple and now I'm seeing three roles
instead of the two defined in policy/users. The third context is
<username>:staff_r:system_chkpwd_t, is this normal? I diffed my current
policy against the 1.4 tarball from the NSA site and the only
differences are a couple of changes I've made for slackware. Of those
few changes none of them have anything to do with system_chkpwd_t.
Timothy,
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: login roles
2004-01-27 5:07 login roles Timothy Wood
@ 2004-01-28 15:02 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2004-01-28 15:02 UTC (permalink / raw)
To: Timothy Wood; +Cc: SELinux Mail List, Russell Coker
[-- Attachment #1: Type: text/plain, Size: 1091 bytes --]
On Tue, 2004-01-27 at 00:07, Timothy Wood wrote:
> I set the pam_selinux module to multiple and now I'm seeing three roles
> instead of the two defined in policy/users. The third context is
> <username>:staff_r:system_chkpwd_t, is this normal? I diffed my current
> policy against the 1.4 tarball from the NSA site and the only
> differences are a couple of changes I've made for slackware. Of those
> few changes none of them have anything to do with system_chkpwd_t.
This is due to the fact that system_chkpwd_t is authorized for
<username>:staff_r and is also reachable from the login domains to
perform authentication, so that context is reachable (but not enterable
via the user shell, so it won't actually work when in enforcing mode).
I've tightened the constraints to reduce this problem, but we may need
to change the getconlist logic to check entrypoint access to the shell
as well to fully address it. My patch to the policy/constraints file is
attached, and this change is in the sourceforge CVS tree.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
[-- Attachment #2: constraints.diff --]
[-- Type: text/x-patch, Size: 839 bytes --]
Index: policy/constraints
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/constraints,v
retrieving revision 1.2
retrieving revision 1.4
diff -u -r1.2 -r1.4
--- policy/constraints 1 Jul 2003 13:35:42 -0000 1.2
+++ policy/constraints 21 Jan 2004 15:25:29 -0000 1.4
@@ -34,14 +34,18 @@
#
constrain process transition
- ( u1 == u2 or t1 == privuser
+ ( u1 == u2 or ( t1 == privuser and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and t2 == user_crond_domain)
')
);
constrain process transition
- ( r1 == r2 or t1 == privrole) ;
+ ( r1 == r2 or ( t1 == privrole and t2 == userdomain )
+ifdef(`crond.te', `
+ or (t1 == crond_t and t2 == user_crond_domain)
+')
+ );
#
# Restrict the ability to label objects with other
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-01-28 15:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-27 5:07 login roles Timothy Wood
2004-01-28 15:02 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.