From: Daniel J Walsh <dwalsh@redhat.com>
To: Todd Miller <Tmiller@tresys.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Not that anyone would ever run in permissive mode but...
Date: Fri, 22 Feb 2008 15:45:48 -0500 [thread overview]
Message-ID: <47BF347C.4090006@redhat.com> (raw)
In-Reply-To: <6FE441CD9F0C0C479F2D88F959B015880195C742@exchange.columbia.tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Todd Miller wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> This patch is needed for sudo.
>>
>> Also added setkeycreatecon, although this will not work the way the
>> code is currently.
>>
>> Pam activity should probably be happening after setkeycreatecon and
>> setexeccon
>>
>> But I am not sure how pam_keyinit should work here any ways.
>>
>> Currently you loose access to your keying material when you su or
>> sudo.
>>
>> These things will not be labeled corectly as currently used.
>
> Thanks, I've merged that into the sudo tree. I think I understand
> why setkeycreatecon and setexeccon ought to be called before PAM.
>
> I am correct in believing that the tty does _not_ need to be relabeled
> before calling PAM since the conversation function runs in the current
> context?
>
> - todd
Yes the problem is there is no good solution to this. Since in some
cases you want jobs to run in the current context and others you want
them in the users context.
Same problem as DAC though.
Should pam_session be run in UID 0 or in my UID. No good answer.
pam_keyinit is removing the current keyring and creating a new one. In
the login programs this is happing after pam_selinux open so they get a
keyring labeled user_t or staff_t. But sudo closes these and opens one
labeled staff_sudo_t. If the setkeycreate call happened before the
pam_session it would be webadm_t. But fixing this here would help, but
su has the same problem, and su has no selinux awareness.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke/NHwACgkQrlYvE4MpobOmKwCgwUlu3/ImJh6ib71naqOnCaS8
QtYAoJXiHksHBYUyKMsbcv0Ny3ArhoZD
=okAi
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2008-02-22 20:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-22 19:13 Not that anyone would ever run in permissive mode but Daniel J Walsh
2008-02-22 20:39 ` Todd Miller
2008-02-22 20:45 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47BF347C.4090006@redhat.com \
--to=dwalsh@redhat.com \
--cc=Tmiller@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.