Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41E85C43387 for ; Sat, 22 Dec 2018 02:58:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F206121927 for ; Sat, 22 Dec 2018 02:58:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="ebOczUWf" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726288AbeLVC6r (ORCPT ); Fri, 21 Dec 2018 21:58:47 -0500 Received: from mail-eopbgr720131.outbound.protection.outlook.com ([40.107.72.131]:61534 "EHLO NAM05-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725860AbeLVC6r (ORCPT ); Fri, 21 Dec 2018 21:58:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kCI4U74hMnl7N+kMQmNix5avpk0gVoyPEyF0D5XlYHg=; b=ebOczUWfw/kfgKfg1SKkASsC4TrO+DGDpJ0PF6eUYs5v0ZB2W8n1UQv6EPDzOiZNo9WSZET9ixqSrE/AIcKo4OsWWt0+h4hJDu+jwutuAWRFkywbhBrMTYLni7j3Hh/NBs5tssjM2LEmUKYQFFVlKIip8XYGOFMjAM+AZNk8A+E= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1714.namprd15.prod.outlook.com (10.174.117.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.17; Sat, 22 Dec 2018 02:58:41 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::9512:b464:7045:df6d]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::9512:b464:7045:df6d%7]) with mapi id 15.20.1446.022; Sat, 22 Dec 2018 02:58:41 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH 2/2] pam_faillock creates files in /run/faillock Thread-Topic: [PATCH 2/2] pam_faillock creates files in /run/faillock Thread-Index: AQHUmM5JchfQlUxYuUS4LDXSCHU4QaWI/9UAgAETCQA= Date: Sat, 22 Dec 2018 02:58:41 +0000 Message-ID: <2d2d6c7f-3084-d6f6-ce1b-42c9d9535969@tresys.com> References: <20181221014026.2867-1-dsugar@tresys.com> <20181221014026.2867-2-dsugar@tresys.com> <20181221103416.GA4520@brutus.lan> In-Reply-To: <20181221103416.GA4520@brutus.lan> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [73.180.141.176] user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 x-clientproxiedby: BN6PR05CA0026.namprd05.prod.outlook.com (2603:10b6:405:39::39) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR15MB1714;6:E/FrcO8VgqmlhtcEV4A4f/DqdkEP32kYfNWJKZQNYPL+QSj5WfproqZEgAnrCAD9bSsbZlK/PyA4fjUf/DiI3IFJhbnGaAFy3fTlGDYgMKNSAVhXnB9zEgJsqLAdYnpPw+x7tQy11pVzQuEU16rXuV5PlM4+ypWjQFi9RCCeGUnZXn19YOqc1YxxCk7gT9zoIgAkKqcChDst9mxXep9jrFDjv4CQsZQKQwo9xzAssqHtujNXPC0WwqOwMR6qHcbsrQsp6TI/a+n9cB6RZvoLCdVTrufijE0pAhK6WuNGeMAiowBq/3LNu8vEdXNgMbsFT5ySTYqtBRo1Or92IExEauZKQssFEbA7u67evjVY+pNNM/jj7MFsL2uMM9/eyFwdnwhMwnmXCT3qwgZjHFLQYSsOyBlzKc2RVDA27XXdFBthc05+yqPN6tONhbVoyqsCabZJ6Pnsy3GQYu4jhXN3Bg==;5:kKbmc4ndnZns29dr4PyNGhbR8L/vSrs3agnbT6ts1PePE2DzaXpYJwDx1peOPQ40YxfT8m4nklIZxEF02JB63tchIE+4f6FM3+32YFjLKLMNmO+17Dls4ebLjJn+rHJUWoFTbbZax2IogJ94ZSUcquX28ErRPn0gkO8BaMRdO6w=;7:hTteMwuSBw32WfyWXm2I0VYV+sk8P+xRIptfHPvQndCBAbziNTmDd66vLN/XYctdwNTeaLVCpJ1nQhC6syM/kk6eRjt6h3s5TcNNJgOGQ/Y7Iu+bas2PBhyTqnOsqz5SjtJJyYTQum2gyHHQW9vZBA== x-ms-office365-filtering-correlation-id: 790325cf-c1ac-4c52-2aed-08d667b960d5 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1714; x-ms-traffictypediagnostic: BN6PR15MB1714: x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(2401047)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231475)(944501520)(52105112)(6041310)(2016111802025)(20161123560045)(20161123558120)(20161123564045)(20161123562045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1714;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1714; x-forefront-prvs: 089473E5FE x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(366004)(396003)(346002)(39830400003)(376002)(199004)(189003)(66066001)(6246003)(65956001)(58126008)(3846002)(256004)(316002)(2351001)(68736007)(97736004)(6116002)(106356001)(31686004)(105586002)(36756003)(2501003)(71200400001)(5660300001)(14444005)(5640700003)(8936002)(64126003)(53936002)(65826007)(6436002)(14454004)(25786009)(486006)(229853002)(508600001)(6512007)(6486002)(305945005)(7736002)(446003)(2616005)(2906002)(71190400001)(81156014)(86362001)(6916009)(99286004)(186003)(26005)(386003)(6506007)(53546011)(81166006)(11346002)(31696002)(76176011)(102836004)(65806001)(52116002)(8676002)(476003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1714;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: qscOy06LVkFxsd1Ej0ccs2ibS7XNLfscK95azDFW4FsAZynasI4tOPGVQcTIuYPXdYxRYzOc8N8Q1aGURj7HJuj3QFqcjQrEHXVjDPQvaGhdOsSw5FdAFZZK5gWANDzm4cnVAkGOPIU1VvZZTQre5xLCURHP3w41vZwqLHbI2S9SA5sVGyMKY/IcScflSPU8qBlMsPXctN7q+uFrrh7cf8HmyijN8q8zL1JTknn9AtT8HlrvJds4vJ4+33o2UB9iWRgpUdR1FRTwRUdSsiroYmB3Lt/ewV5mhpFzdhyXDq8ZWfIBPb4wHF6uho96FsYO spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 790325cf-c1ac-4c52-2aed-08d667b960d5 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Dec 2018 02:58:41.4680 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1714 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/21/18 5:34 AM, Dominick Grift wrote: > On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote: >> These are changes needed when pam_fallock created files in /run/faillock >> (which is labeled faillog_t). sudo and xdm (and probably other domains) >> will create files in this directory for successful and failed logins >> attempts. > The pam stuff has become a bit broken in my view. > > We use to use auth_use_pam() for these kinds of things but the interface = was forgotten and not updated properly. > > So for example sudo does not even call auth_use_pam() and a lot of stuff = was added directly to the login_pgm domain that should have been added to a= uth_use_pam() instead. > > My opinion is that this belongs in auth_use_pam() Dominick, I see those interfaces.=A0 It looks like xdm_t already uses=20 auth_login_pgm_domain(xdm_t).=A0 It also isn't really clear to me what the= =20 difference is between auth_login_pgm_domain() and auth_use_pam().=A0 I=20 will make updates moving my change into auth_use_pam() and also update=20 sudo_role_template() to use (I think) auth_login_pgm_domain (). I will resubmit this patch, --- snip ---