PAM modules ordering

All of lore.kernel.org
 help / color / mirror / Atom feed

* PAM modules ordering
@ 2014-05-06 17:46 Laurent Bigonville
  2014-05-06 19:11 ` Daniel J Walsh
  0 siblings, 1 reply; 3+ messages in thread
From: Laurent Bigonville @ 2014-05-06 17:46 UTC (permalink / raw)
  To: selinux

Hello,

I was wondering, is there a list of pam modules that need to be called
between pam_selinux close/open?

On Fedora I see pam_loginuid, but are there other modules that must be
in between, or can all the other modules be after the "pam_selinux
open" one?

Cheers,

Laurent Bigonville

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: PAM modules ordering
  2014-05-06 17:46 PAM modules ordering Laurent Bigonville
@ 2014-05-06 19:11 ` Daniel J Walsh
  2014-05-06 20:42   ` Laurent Bigonville
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2014-05-06 19:11 UTC (permalink / raw)
  To: Laurent Bigonville, selinux


On 05/06/2014 01:46 PM, Laurent Bigonville wrote:
> Hello,
>
> I was wondering, is there a list of pam modules that need to be called
> between pam_selinux close/open?
>
> On Fedora I see pam_loginuid, but are there other modules that must be
> in between, or can all the other modules be after the "pam_selinux
> open" one?
>
> Cheers,
>
> Laurent Bigonville
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
No, only thing that should not be called after pam_selinux open is an
app that wants to run a priv command.  pam_selinux open is setting the
user context, so any apps that are executed after the open will be
executed in the users context, Any app that is executed before the open
will be executed as the context of the login program.

pam_selinux will also change the labels on ttys.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: PAM modules ordering
  2014-05-06 19:11 ` Daniel J Walsh
@ 2014-05-06 20:42   ` Laurent Bigonville
  0 siblings, 0 replies; 3+ messages in thread
From: Laurent Bigonville @ 2014-05-06 20:42 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: selinux

Le Tue, 06 May 2014 15:11:28 -0400,
Daniel J Walsh <dwalsh@redhat.com> a écrit :


> No, only thing that should not be called after pam_selinux open is an
> app that wants to run a priv command.  pam_selinux open is setting the
> user context, so any apps that are executed after the open will be
> executed in the users context, Any app that is executed before the
> open will be executed as the context of the login program.
> 
> pam_selinux will also change the labels on ttys.

Thanks for your answer, I guess I'll have to change what's Debian is
currently doing, and change to Fedora's way (pam_loginuid before
pam_selinux open and the rest after)

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-05-06 20:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-06 17:46 PAM modules ordering Laurent Bigonville
2014-05-06 19:11 ` Daniel J Walsh
2014-05-06 20:42   ` Laurent Bigonville

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.