http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
Fixes for zseries
lots of stuff differs from upstream.
On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>
> Fixes for zseries
>
> lots of stuff differs from upstream.
What is the generic usb device usage for?
It looks like that the sulogin_no_pam option needs to transition to a
tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
to sulogin, since you added the rules for computing the user contexts?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>>
>> Fixes for zseries
>>
>> lots of stuff differs from upstream.
>
> What is the generic usb device usage for?
I think this comes from fingerprint reader. Google is a wonderful thing.
https://bugzilla.redhat.com/show_bug.cgi?id=301961
https://bugzilla.redhat.com/attachment.cgi?id=208401
>
> It looks like that the sulogin_no_pam option needs to transition to a
> tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
> to sulogin, since you added the rules for computing the user contexts?
>
sulogin uses pam at Red Hat so it goes through pam_selinux.
On Sat, 2010-02-13 at 07:09 -0500, Daniel J Walsh wrote:
> On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
> >>
> >> Fixes for zseries
> >>
> >> lots of stuff differs from upstream.
> >
> > What is the generic usb device usage for?
> I think this comes from fingerprint reader. Google is a wonderful thing.
> https://bugzilla.redhat.com/show_bug.cgi?id=301961
> https://bugzilla.redhat.com/attachment.cgi?id=208401
It seems that it would be better to make sure fingerprint devices have
their own label. We wouldn't want any random generic usb device being
used for authentication.
> > It looks like that the sulogin_no_pam option needs to transition to a
> > tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
> > to sulogin, since you added the rules for computing the user contexts?
> >
>
> sulogin uses pam at Red Hat so it goes through pam_selinux.
Then I'm confused. Why was this added:
+ifdef(`distro_redhat',`
+ define(`sulogin_no_pam')
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 02/16/2010 09:02 AM, Christopher J. PeBenito wrote:
> On Sat, 2010-02-13 at 07:09 -0500, Daniel J Walsh wrote:
>> On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
>>> On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>>>>
>>>> Fixes for zseries
>>>>
>>>> lots of stuff differs from upstream.
>>>
>>> What is the generic usb device usage for?
>> I think this comes from fingerprint reader. Google is a wonderful thing.
>> https://bugzilla.redhat.com/show_bug.cgi?id=301961
>> https://bugzilla.redhat.com/attachment.cgi?id=208401
>
> It seems that it would be better to make sure fingerprint devices have
> their own label. We wouldn't want any random generic usb device being
> used for authentication.
>
Not easy to do, Since you would need to generate udev rules for labeling of each usb device.
I don't believe these have a standard path.
>>> It looks like that the sulogin_no_pam option needs to transition to a
>>> tunable (locallogin_sulogin_pam). Does redhat patch on SELinux support
>>> to sulogin, since you added the rules for computing the user contexts?
>>>
>>
>> sulogin uses pam at Red Hat so it goes through pam_selinux.
>
> Then I'm confused. Why was this added:
>
> +ifdef(`distro_redhat',`
> + define(`sulogin_no_pam')
>
Sorry I was mistaken it does NOT use pam.
sulogin on Red Hat platforms has the following
#ifdef WITH_SELINUX
if (is_selinux_enabled > 0) {
security_context_t scon=NULL;
char *seuser=NULL;
char *level=NULL;
if (getseuserbyname("root", &seuser, &level) == 0)
if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
if (setexeccon(scon) != 0)
fprintf(stderr, "setexeccon faile\n");
freecon(scon);
}
free(seuser);
free(level);
}
#endif