From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 22 Feb 2011 11:06:47 -0500
Subject: [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch
 in the usermanage module
In-Reply-To: <4D63DC86.7070907@tresys.com>
References: <1297836053.3205.32.camel@tesla.lan> <4D63DC86.7070907@tresys.com>
Message-ID: <4D63DF17.1010808@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2011 10:55 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
>> This patch allows to use pam instead of nsswitch in
>> policy/modules/admin/usermanage.te.
> 
> Do you have more of an explanation?  auth_use_pam() is much more than
> the rules you're removing.
> 
>> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te	2011-02-07 00:35:04.530712150 +0100
>> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te	2011-02-07 00:38:27.175347975 +0100
>> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
>>  # for SSP
>>  dev_read_urand(chfn_t)
>>  
>> -auth_domtrans_chk_passwd(chfn_t)
>> -auth_dontaudit_read_shadow(chfn_t)
>> -auth_use_nsswitch(chfn_t)
>> +auth_use_pam(chfn_t)
>>  
>>  # allow checking if a shell is executable
>>  corecmd_check_exec_shell(chfn_t)
>> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
>>  
>>  term_use_all_terms(passwd_t)
>>  
>> -auth_domtrans_chk_passwd(passwd_t)
>>  auth_manage_shadow(passwd_t)
>>  auth_relabel_shadow(passwd_t)
>>  auth_etc_filetrans_shadow(passwd_t)
>> -auth_use_nsswitch(passwd_t)
>> +auth_use_pam(passwd_t)
>>  
>>  # allow checking if a shell is executable
>>  corecmd_check_exec_shell(passwd_t)
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
These tools are doing authentication they are doing the full pam stack
not just calling getpw, so they need access to the entire pam_stack,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1j3xcACgkQrlYvE4MpobMkVACgqdmr8HW+Zb4VYY5HboiTuOHL
cq8AoIx2jdHaXC3cndwE/dFyTE9qDzNh
=N4Gf
-----END PGP SIGNATURE-----