Re: getseuserbyname patch

[Daniel J Walsh <dwalsh@redhat.com>]

Stephen Smalley wrote:
> On Thu, 2005-10-06 at 09:27 -0400, Daniel J Walsh wrote:
>   
>> A couple of things I was thinking about.  
>>
>> 1.  The call should be to just return the username and level "" if the 
>> file does not exist or if there is not default value and no match.  So 
>> the only time the call would return an error was if no memory.
>>     
>
> The problem with always doing this is that it could lead to insecurity,
> e.g. accidental (or malicious) removal of seusers.conf or filesystem
> corruption could end up allowing the user to login with a much greater
> level of access than desired, because we will be using seusers.conf to
> control the authorized categories for individual Linux users rather than
> the kernel policy.  That's why I suggested making it a configurable
> setting in /etc/selinux/config, so that we have the option of treating
> it as an error condition that prevents login rather than falling back.
> For MCS or MLS, I think we would actually want to make it an error
> condition and require the presence of seusers.conf and a default entry.
> For existing systems (e.g. FC4) and any system that doesn't want/need a
> separate user mapping, we'd leave it as a non-error condition so that
> nothing breaks there.  Note btw that it is *level = NULL that we want,
> so that get_ordered_context_with_level and
> get_default_context_with_level fall back to the ordinary functions.
>
>   
Of course if I can get rid of this file, I can probably muck around with 
the config file also.   
As long as we don't require the flag and default to old behavior.  For 
MLS installs we can
put in the flag in the config file and change it to fail if the file is 
missing.
>> 2. The file should be put into a policy specific directories and be 
>> shipped with the policy.  When we move to LDAP, we will require a policy 
>> type in the key for retrieving users.  This way we can continue to allow 
>> users to switch from one type of policy to another.
>>     
>
> That's ok, as long as you are fine with the notion that some files in
> the policy package can be customized by the user.  If you want the
> policy package to ultimately become "pristine" files shipped by the
> distributor and keep all user customizations separate, then it seems
> like it needs to go in a separate package, much as /etc/passwd et al are
> in their own special setup package.  It would be nice if ultimately rpm
> -V selinux-policy-targeted (or strict) would report no changes from mere
> local customizations.
>
>   
There are files in policy now that are marked config(noreplace) like 
local.users, ports, devices etc.  So I don't think this is any 
differerent. 

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.