From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] system_locallogin.patch
Date: Tue, 16 Feb 2010 12:25:17 -0500 [thread overview]
Message-ID: <4B7AD4FD.2090306@redhat.com> (raw)
In-Reply-To: <1266328946.11004.55.camel@gorn.columbia.tresys.com>
On 02/16/2010 09:02 AM, Christopher J. PeBenito wrote:
> On Sat, 2010-02-13 at 07:09 -0500, Daniel J Walsh wrote:
>> On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
>>> On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>>>>
>>>> Fixes for zseries
>>>>
>>>> lots of stuff differs from upstream.
>>>
>>> What is the generic usb device usage for?
>> I think this comes from fingerprint reader. Google is a wonderful thing.
>> https://bugzilla.redhat.com/show_bug.cgi?id=301961
>> https://bugzilla.redhat.com/attachment.cgi?id=208401
>
> It seems that it would be better to make sure fingerprint devices have
> their own label. We wouldn't want any random generic usb device being
> used for authentication.
>
Not easy to do, Since you would need to generate udev rules for labeling of each usb device.
I don't believe these have a standard path.
>>> It looks like that the sulogin_no_pam option needs to transition to a
>>> tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
>>> to sulogin, since you added the rules for computing the user contexts?
>>>
>>
>> sulogin uses pam at Red Hat so it goes through pam_selinux.
>
> Then I'm confused. Why was this added:
>
> +ifdef(`distro_redhat',`
> + define(`sulogin_no_pam')
>
Sorry I was mistaken it does NOT use pam.
sulogin on Red Hat platforms has the following
#ifdef WITH_SELINUX
if (is_selinux_enabled > 0) {
security_context_t scon=NULL;
char *seuser=NULL;
char *level=NULL;
if (getseuserbyname("root", &seuser, &level) == 0)
if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
if (setexeccon(scon) != 0)
fprintf(stderr, "setexeccon faile\n");
freecon(scon);
}
free(seuser);
free(level);
}
#endif
next prev parent reply other threads:[~2010-02-16 17:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-12 22:12 [refpolicy] system_locallogin.patch Daniel J Walsh
2010-02-12 20:10 ` Christopher J. PeBenito
2010-02-13 12:09 ` Daniel J Walsh
2010-02-16 14:02 ` Christopher J. PeBenito
2010-02-16 17:25 ` Daniel J Walsh [this message]
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 23:38 Daniel J Walsh
2009-03-05 17:18 Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7AD4FD.2090306@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.