* [refpolicy] system_locallogin.patch
@ 2010-08-26 23:38 Daniel J Walsh
0 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2010-08-26 23:38 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/system_locallogin.patch
Add sushell so init in single user mode will transition to unconfined_t
or sysadm_t
local_login_t needs sys_admin
read usb devices for fingerprint?
Read video for face recognition. Sheesh.
Terminal relabeling of console on certain arches. (Power)
Does not need unconfined
fixes for sulogin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx2+wIACgkQrlYvE4MpobM4IQCfbZIGNQMkE8U78MiV5BXsUAjl
QjIAnixr/nfdR3lWtBhxMN3xrXh8z4KB
=tOrC
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] system_locallogin.patch
@ 2009-11-12 22:12 Daniel J Walsh
2010-02-12 20:10 ` Christopher J. PeBenito
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2009-11-12 22:12 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
Fixes for zseries
lots of stuff differs from upstream.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] system_locallogin.patch
2009-11-12 22:12 Daniel J Walsh
@ 2010-02-12 20:10 ` Christopher J. PeBenito
2010-02-13 12:09 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Christopher J. PeBenito @ 2010-02-12 20:10 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>
> Fixes for zseries
>
> lots of stuff differs from upstream.
What is the generic usb device usage for?
It looks like that the sulogin_no_pam option needs to transition to a
tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
to sulogin, since you added the rules for computing the user contexts?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] system_locallogin.patch
2010-02-12 20:10 ` Christopher J. PeBenito
@ 2010-02-13 12:09 ` Daniel J Walsh
2010-02-16 14:02 ` Christopher J. PeBenito
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2010-02-13 12:09 UTC (permalink / raw)
To: refpolicy
On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>>
>> Fixes for zseries
>>
>> lots of stuff differs from upstream.
>
> What is the generic usb device usage for?
I think this comes from fingerprint reader. Google is a wonderful thing.
https://bugzilla.redhat.com/show_bug.cgi?id=301961
https://bugzilla.redhat.com/attachment.cgi?id=208401
>
> It looks like that the sulogin_no_pam option needs to transition to a
> tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
> to sulogin, since you added the rules for computing the user contexts?
>
sulogin uses pam at Red Hat so it goes through pam_selinux.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] system_locallogin.patch
2010-02-13 12:09 ` Daniel J Walsh
@ 2010-02-16 14:02 ` Christopher J. PeBenito
2010-02-16 17:25 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Christopher J. PeBenito @ 2010-02-16 14:02 UTC (permalink / raw)
To: refpolicy
On Sat, 2010-02-13 at 07:09 -0500, Daniel J Walsh wrote:
> On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
> >>
> >> Fixes for zseries
> >>
> >> lots of stuff differs from upstream.
> >
> > What is the generic usb device usage for?
> I think this comes from fingerprint reader. Google is a wonderful thing.
> https://bugzilla.redhat.com/show_bug.cgi?id=301961
> https://bugzilla.redhat.com/attachment.cgi?id=208401
It seems that it would be better to make sure fingerprint devices have
their own label. We wouldn't want any random generic usb device being
used for authentication.
> > It looks like that the sulogin_no_pam option needs to transition to a
> > tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
> > to sulogin, since you added the rules for computing the user contexts?
> >
>
> sulogin uses pam at Red Hat so it goes through pam_selinux.
Then I'm confused. Why was this added:
+ifdef(`distro_redhat',`
+ define(`sulogin_no_pam')
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] system_locallogin.patch
2010-02-16 14:02 ` Christopher J. PeBenito
@ 2010-02-16 17:25 ` Daniel J Walsh
0 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2010-02-16 17:25 UTC (permalink / raw)
To: refpolicy
On 02/16/2010 09:02 AM, Christopher J. PeBenito wrote:
> On Sat, 2010-02-13 at 07:09 -0500, Daniel J Walsh wrote:
>> On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
>>> On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>>>>
>>>> Fixes for zseries
>>>>
>>>> lots of stuff differs from upstream.
>>>
>>> What is the generic usb device usage for?
>> I think this comes from fingerprint reader. Google is a wonderful thing.
>> https://bugzilla.redhat.com/show_bug.cgi?id=301961
>> https://bugzilla.redhat.com/attachment.cgi?id=208401
>
> It seems that it would be better to make sure fingerprint devices have
> their own label. We wouldn't want any random generic usb device being
> used for authentication.
>
Not easy to do, Since you would need to generate udev rules for labeling of each usb device.
I don't believe these have a standard path.
>>> It looks like that the sulogin_no_pam option needs to transition to a
>>> tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
>>> to sulogin, since you added the rules for computing the user contexts?
>>>
>>
>> sulogin uses pam at Red Hat so it goes through pam_selinux.
>
> Then I'm confused. Why was this added:
>
> +ifdef(`distro_redhat',`
> + define(`sulogin_no_pam')
>
Sorry I was mistaken it does NOT use pam.
sulogin on Red Hat platforms has the following
#ifdef WITH_SELINUX
if (is_selinux_enabled > 0) {
security_context_t scon=NULL;
char *seuser=NULL;
char *level=NULL;
if (getseuserbyname("root", &seuser, &level) == 0)
if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
if (setexeccon(scon) != 0)
fprintf(stderr, "setexeccon faile\n");
freecon(scon);
}
free(seuser);
free(level);
}
#endif
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] system_locallogin.patch
@ 2009-03-05 17:18 Daniel J Walsh
0 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2009-03-05 17:18 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_locallogin.patch
Local login uses usb keys for login.
Add unconfined_shell_domtrans which contains a boolean to turn on and
off login as an unconfined user.
local_login now runs well as a confined domain
sulogin calls getpw
sulogin will transition to unconfined_t on non MLS machines.
Redhat does not use pam for sulogin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmwCWoACgkQrlYvE4MpobORQACeOjGiOFiIgXfExi5f4Zt7aBFr
xswAnA4MJoZmSgCD33DC87dJvuqDms/O
=v2h9
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-08-26 23:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-26 23:38 [refpolicy] system_locallogin.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2009-11-12 22:12 Daniel J Walsh
2010-02-12 20:10 ` Christopher J. PeBenito
2010-02-13 12:09 ` Daniel J Walsh
2010-02-16 14:02 ` Christopher J. PeBenito
2010-02-16 17:25 ` Daniel J Walsh
2009-03-05 17:18 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.