This patch allows to use pam instead of nsswitch in
policy/modules/admin/usermanage.te.
--- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
+++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_use_pam(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
@@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_terms(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
On 02/16/11 01:00, Guido Trentalancia wrote:
> This patch allows to use pam instead of nsswitch in
> policy/modules/admin/usermanage.te.
Do you have more of an explanation? auth_use_pam() is much more than
the rules you're removing.
> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
> # for SSP
> dev_read_urand(chfn_t)
>
> -auth_domtrans_chk_passwd(chfn_t)
> -auth_dontaudit_read_shadow(chfn_t)
> -auth_use_nsswitch(chfn_t)
> +auth_use_pam(chfn_t)
>
> # allow checking if a shell is executable
> corecmd_check_exec_shell(chfn_t)
> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
>
> term_use_all_terms(passwd_t)
>
> -auth_domtrans_chk_passwd(passwd_t)
> auth_manage_shadow(passwd_t)
> auth_relabel_shadow(passwd_t)
> auth_etc_filetrans_shadow(passwd_t)
> -auth_use_nsswitch(passwd_t)
> +auth_use_pam(passwd_t)
>
> # allow checking if a shell is executable
> corecmd_check_exec_shell(passwd_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/22/2011 10:55 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
>> This patch allows to use pam instead of nsswitch in
>> policy/modules/admin/usermanage.te.
>
> Do you have more of an explanation? auth_use_pam() is much more than
> the rules you're removing.
>
>> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
>> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
>> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
>> # for SSP
>> dev_read_urand(chfn_t)
>>
>> -auth_domtrans_chk_passwd(chfn_t)
>> -auth_dontaudit_read_shadow(chfn_t)
>> -auth_use_nsswitch(chfn_t)
>> +auth_use_pam(chfn_t)
>>
>> # allow checking if a shell is executable
>> corecmd_check_exec_shell(chfn_t)
>> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
>>
>> term_use_all_terms(passwd_t)
>>
>> -auth_domtrans_chk_passwd(passwd_t)
>> auth_manage_shadow(passwd_t)
>> auth_relabel_shadow(passwd_t)
>> auth_etc_filetrans_shadow(passwd_t)
>> -auth_use_nsswitch(passwd_t)
>> +auth_use_pam(passwd_t)
>>
>> # allow checking if a shell is executable
>> corecmd_check_exec_shell(passwd_t)
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
These tools are doing authentication they are doing the full pam stack
not just calling getpw, so they need access to the entire pam_stack,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1j3xcACgkQrlYvE4MpobMkVACgqdmr8HW+Zb4VYY5HboiTuOHL
cq8AoIx2jdHaXC3cndwE/dFyTE9qDzNh
=N4Gf
-----END PGP SIGNATURE-----
On Tue, 22/02/2011 at 10.55 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
> > This patch allows to use pam instead of nsswitch in
> > policy/modules/admin/usermanage.te.
>
> Do you have more of an explanation? auth_use_pam() is much more than
> the rules you're removing.
No, not really. You can drop that. The dbus messaging permissions were
the main point of the whole patch set. Have you had any time to look at
that ?
Regards,
Guido
On Tue, 22/02/2011 at 11.06 -0500, Daniel J Walsh wrote:
> On 02/22/2011 10:55 AM, Christopher J. PeBenito wrote:
> > On 02/16/11 01:00, Guido Trentalancia wrote:
> >> This patch allows to use pam instead of nsswitch in
> >> policy/modules/admin/usermanage.te.
> >
> > Do you have more of an explanation? auth_use_pam() is much more than
> > the rules you're removing.
> >
> >> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te 2011-02-07 00:35:04.530712150 +0100
> >> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te 2011-02-07 00:38:27.175347975 +0100
> >> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
> >> # for SSP
> >> dev_read_urand(chfn_t)
> >>
> >> -auth_domtrans_chk_passwd(chfn_t)
> >> -auth_dontaudit_read_shadow(chfn_t)
> >> -auth_use_nsswitch(chfn_t)
> >> +auth_use_pam(chfn_t)
> >>
> >> # allow checking if a shell is executable
> >> corecmd_check_exec_shell(chfn_t)
> >> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
> >>
> >> term_use_all_terms(passwd_t)
> >>
> >> -auth_domtrans_chk_passwd(passwd_t)
> >> auth_manage_shadow(passwd_t)
> >> auth_relabel_shadow(passwd_t)
> >> auth_etc_filetrans_shadow(passwd_t)
> >> -auth_use_nsswitch(passwd_t)
> >> +auth_use_pam(passwd_t)
> >>
> >> # allow checking if a shell is executable
> >> corecmd_check_exec_shell(passwd_t)
> >>
> >>
> >>
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> >
> These tools are doing authentication they are doing the full pam stack
> not just calling getpw, so they need access to the entire pam_stack,
I took passwd from Fedora. So it's not something which applies to any
system in general and Christopher is right.
For example on a stable Debian system with refpolicy I didn't do that
and everything is working fine. But there I am using standard Debian
packages for user management. They are still linked against pam, but
apparently usermanagement does not need that there.
Perhaps it is not possible to generalize here (user management is too
much dependent on the specific system or distribution ?)
Christopher should just drop that. I don't know about every different
distribution. Perhaps they all use different tools.
Regards,
Guido