From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 16 Feb 2010 12:25:17 -0500
Subject: [refpolicy] system_locallogin.patch
In-Reply-To: <1266328946.11004.55.camel@gorn.columbia.tresys.com>
References: <4AFC885C.50406@redhat.com>	
	<1266005402.11004.24.camel@gorn.columbia.tresys.com>	
	<4B769671.7020805@redhat.com>
	<1266328946.11004.55.camel@gorn.columbia.tresys.com>
Message-ID: <4B7AD4FD.2090306@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/2010 09:02 AM, Christopher J. PeBenito wrote:
> On Sat, 2010-02-13 at 07:09 -0500, Daniel J Walsh wrote:
>> On 02/12/2010 03:10 PM, Christopher J. PeBenito wrote:
>>> On Thu, 2009-11-12 at 17:12 -0500, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_locallogin.patch
>>>>
>>>> Fixes for zseries
>>>>
>>>> lots of stuff differs from upstream.
>>>
>>> What is the generic usb device usage for?
>> I think this comes from fingerprint reader.  Google is a wonderful thing.
>> https://bugzilla.redhat.com/show_bug.cgi?id=301961
>> https://bugzilla.redhat.com/attachment.cgi?id=208401
> 
> It seems that it would be better to make sure fingerprint devices have
> their own label.  We wouldn't want any random generic usb device being
> used for authentication.
>
Not easy to do,  Since you would need to generate udev rules for labeling of each usb device.
I don't believe these have a standard path.
 
>>> It looks like that the sulogin_no_pam option needs to transition to a
>>> tunable (locallogin_sulogin_pam).  Does redhat patch on SELinux support
>>> to sulogin, since you added the rules for computing the user contexts?
>>>
>>
>> sulogin uses pam at Red Hat so it goes through pam_selinux.
> 
> Then I'm confused.  Why was this added:
> 
> +ifdef(`distro_redhat',`
> +	define(`sulogin_no_pam')
> 
Sorry I was mistaken it does NOT use pam.

sulogin on Red Hat platforms has the following

#ifdef WITH_SELINUX
        if (is_selinux_enabled > 0) {
          security_context_t scon=NULL;
          char *seuser=NULL;
          char *level=NULL;
          if (getseuserbyname("root", &seuser, &level) == 0)
                  if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
                          if (setexeccon(scon) != 0)
                                  fprintf(stderr, "setexeccon faile\n");
                          freecon(scon);
                  }
                free(seuser);
                free(level);
        }
#endif