* [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch in the usermanage module
@ 2011-02-16 6:00 Guido Trentalancia
2011-02-22 15:55 ` Christopher J. PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2011-02-16 6:00 UTC (permalink / raw)
To: refpolicy
This patch allows to use pam instead of nsswitch in
policy/modules/admin/usermanage.te.
--- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_use_pam(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
@@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_terms(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch in the usermanage module
2011-02-16 6:00 [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch in the usermanage module Guido Trentalancia
@ 2011-02-22 15:55 ` Christopher J. PeBenito
2011-02-22 16:06 ` Daniel J Walsh
2011-02-22 16:41 ` Guido Trentalancia
0 siblings, 2 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2011-02-22 15:55 UTC (permalink / raw)
To: refpolicy
On 02/16/11 01:00, Guido Trentalancia wrote:
> This patch allows to use pam instead of nsswitch in
> policy/modules/admin/usermanage.te.
Do you have more of an explanation? auth_use_pam() is much more than
the rules you're removing.
> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
> # for SSP
> dev_read_urand(chfn_t)
>
> -auth_domtrans_chk_passwd(chfn_t)
> -auth_dontaudit_read_shadow(chfn_t)
> -auth_use_nsswitch(chfn_t)
> +auth_use_pam(chfn_t)
>
> # allow checking if a shell is executable
> corecmd_check_exec_shell(chfn_t)
> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
>
> term_use_all_terms(passwd_t)
>
> -auth_domtrans_chk_passwd(passwd_t)
> auth_manage_shadow(passwd_t)
> auth_relabel_shadow(passwd_t)
> auth_etc_filetrans_shadow(passwd_t)
> -auth_use_nsswitch(passwd_t)
> +auth_use_pam(passwd_t)
>
> # allow checking if a shell is executable
> corecmd_check_exec_shell(passwd_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch in the usermanage module
2011-02-22 15:55 ` Christopher J. PeBenito
@ 2011-02-22 16:06 ` Daniel J Walsh
2011-02-22 17:04 ` Guido Trentalancia
2011-02-22 16:41 ` Guido Trentalancia
1 sibling, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2011-02-22 16:06 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/22/2011 10:55 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
>> This patch allows to use pam instead of nsswitch in
>> policy/modules/admin/usermanage.te.
>
> Do you have more of an explanation? auth_use_pam() is much more than
> the rules you're removing.
>
>> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
>> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
>> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
>> # for SSP
>> dev_read_urand(chfn_t)
>>
>> -auth_domtrans_chk_passwd(chfn_t)
>> -auth_dontaudit_read_shadow(chfn_t)
>> -auth_use_nsswitch(chfn_t)
>> +auth_use_pam(chfn_t)
>>
>> # allow checking if a shell is executable
>> corecmd_check_exec_shell(chfn_t)
>> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
>>
>> term_use_all_terms(passwd_t)
>>
>> -auth_domtrans_chk_passwd(passwd_t)
>> auth_manage_shadow(passwd_t)
>> auth_relabel_shadow(passwd_t)
>> auth_etc_filetrans_shadow(passwd_t)
>> -auth_use_nsswitch(passwd_t)
>> +auth_use_pam(passwd_t)
>>
>> # allow checking if a shell is executable
>> corecmd_check_exec_shell(passwd_t)
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
These tools are doing authentication they are doing the full pam stack
not just calling getpw, so they need access to the entire pam_stack,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1j3xcACgkQrlYvE4MpobMkVACgqdmr8HW+Zb4VYY5HboiTuOHL
cq8AoIx2jdHaXC3cndwE/dFyTE9qDzNh
=N4Gf
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch in the usermanage module
2011-02-22 15:55 ` Christopher J. PeBenito
2011-02-22 16:06 ` Daniel J Walsh
@ 2011-02-22 16:41 ` Guido Trentalancia
1 sibling, 0 replies; 5+ messages in thread
From: Guido Trentalancia @ 2011-02-22 16:41 UTC (permalink / raw)
To: refpolicy
On Tue, 22/02/2011 at 10.55 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
> > This patch allows to use pam instead of nsswitch in
> > policy/modules/admin/usermanage.te.
>
> Do you have more of an explanation? auth_use_pam() is much more than
> the rules you're removing.
No, not really. You can drop that. The dbus messaging permissions were
the main point of the whole patch set. Have you had any time to look at
that ?
Regards,
Guido
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch in the usermanage module
2011-02-22 16:06 ` Daniel J Walsh
@ 2011-02-22 17:04 ` Guido Trentalancia
0 siblings, 0 replies; 5+ messages in thread
From: Guido Trentalancia @ 2011-02-22 17:04 UTC (permalink / raw)
To: refpolicy
On Tue, 22/02/2011 at 11.06 -0500, Daniel J Walsh wrote:
> On 02/22/2011 10:55 AM, Christopher J. PeBenito wrote:
> > On 02/16/11 01:00, Guido Trentalancia wrote:
> >> This patch allows to use pam instead of nsswitch in
> >> policy/modules/admin/usermanage.te.
> >
> > Do you have more of an explanation? auth_use_pam() is much more than
> > the rules you're removing.
> >
> >> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
> >> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
> >> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
> >> # for SSP
> >> dev_read_urand(chfn_t)
> >>
> >> -auth_domtrans_chk_passwd(chfn_t)
> >> -auth_dontaudit_read_shadow(chfn_t)
> >> -auth_use_nsswitch(chfn_t)
> >> +auth_use_pam(chfn_t)
> >>
> >> # allow checking if a shell is executable
> >> corecmd_check_exec_shell(chfn_t)
> >> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
> >>
> >> term_use_all_terms(passwd_t)
> >>
> >> -auth_domtrans_chk_passwd(passwd_t)
> >> auth_manage_shadow(passwd_t)
> >> auth_relabel_shadow(passwd_t)
> >> auth_etc_filetrans_shadow(passwd_t)
> >> -auth_use_nsswitch(passwd_t)
> >> +auth_use_pam(passwd_t)
> >>
> >> # allow checking if a shell is executable
> >> corecmd_check_exec_shell(passwd_t)
> >>
> >>
> >>
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> >
> These tools are doing authentication they are doing the full pam stack
> not just calling getpw, so they need access to the entire pam_stack,
I took passwd from Fedora. So it's not something which applies to any
system in general and Christopher is right.
For example on a stable Debian system with refpolicy I didn't do that
and everything is working fine. But there I am using standard Debian
packages for user management. They are still linked against pam, but
apparently usermanagement does not need that there.
Perhaps it is not possible to generalize here (user management is too
much dependent on the specific system or distribution ?)
Christopher should just drop that. I don't know about every different
distribution. Perhaps they all use different tools.
Regards,
Guido
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-02-22 17:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-16 6:00 [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch in the usermanage module Guido Trentalancia
2011-02-22 15:55 ` Christopher J. PeBenito
2011-02-22 16:06 ` Daniel J Walsh
2011-02-22 17:04 ` Guido Trentalancia
2011-02-22 16:41 ` Guido Trentalancia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.