http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_authlogin.patch
Lots of new authlogin policy.
On Thu, 2009-11-12 at 17:07 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_authlogin.patch
>
> Lots of new authlogin policy.
I like the idea of having interfaces for using pam, but I'm hesitant
because each program's usage of pam can vary based on the pam.d entries.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 02/12/2010 03:06 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:07 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_authlogin.patch
>>
>> Lots of new authlogin policy.
>
> I like the idea of having interfaces for using pam, but I'm hesitant
> because each program's usage of pam can vary based on the pam.d entries.
>
Yes, and I think we could add a series of booleans to allow people to tighten this up.
I guess this comes down to an argument between least privs and just make the damn thing work.
On Sat, 2010-02-13 at 07:22 -0500, Daniel J Walsh wrote:
> On 02/12/2010 03:06 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:07 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_authlogin.patch
> >>
> >> Lots of new authlogin policy.
> >
> > I like the idea of having interfaces for using pam, but I'm hesitant
> > because each program's usage of pam can vary based on the pam.d entries.
> >
> Yes, and I think we could add a series of booleans to allow people to tighten this up.
> I guess this comes down to an argument between least privs and just make the damn thing work.
Right. I just don't know how much variation between pam configurations
there is on a particular system.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150