From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 16 Feb 2010 09:02:26 -0500
Subject: [refpolicy] system_locallogin.patch
In-Reply-To: <4B769671.7020805@redhat.com>
References: <4AFC885C.50406@redhat.com>
	<1266005402.11004.24.camel@gorn.columbia.tresys.com>
	<4B769671.7020805@redhat.com>
Message-ID: <1266328946.11004.55.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2010-02-13 at 07:09 -0500, Daniel J Walsh wrote:
> On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
> >>
> >> Fixes for zseries
> >>
> >> lots of stuff differs from upstream.
> > 
> > What is the generic usb device usage for?
> I think this comes from fingerprint reader.  Google is a wonderful thing.
> https://bugzilla.redhat.com/show_bug.cgi?id=301961
> https://bugzilla.redhat.com/attachment.cgi?id=208401

It seems that it would be better to make sure fingerprint devices have
their own label.  We wouldn't want any random generic usb device being
used for authentication.

> > It looks like that the sulogin_no_pam option needs to transition to a
> > tunable (locallogin_sulogin_pam).  Does redhat patch on SELinux support
> > to sulogin, since you added the rules for computing the user contexts?
> > 
> 
> sulogin uses pam at Red Hat so it goes through pam_selinux.

Then I'm confused.  Why was this added:

+ifdef(`distro_redhat',`
+	define(`sulogin_no_pam')

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150