From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 22 Feb 2011 18:04:59 +0100
Subject: [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch
 in the usermanage module
In-Reply-To: <4D63DF17.1010808@redhat.com>
References: <1297836053.3205.32.camel@tesla.lan>
	<4D63DC86.7070907@tresys.com>  <4D63DF17.1010808@redhat.com>
Message-ID: <1298394299.16004.33.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 22/02/2011 at 11.06 -0500, Daniel J Walsh wrote:
> On 02/22/2011 10:55 AM, Christopher J. PeBenito wrote:
> > On 02/16/11 01:00, Guido Trentalancia wrote:
> >> This patch allows to use pam instead of nsswitch in
> >> policy/modules/admin/usermanage.te.
> > 
> > Do you have more of an explanation?  auth_use_pam() is much more than
> > the rules you're removing.
> > 
> >> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te	2011-02-07 00:35:04.530712150 +0100
> >> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te	2011-02-07 00:38:27.175347975 +0100
> >> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
> >>  # for SSP
> >>  dev_read_urand(chfn_t)
> >>  
> >> -auth_domtrans_chk_passwd(chfn_t)
> >> -auth_dontaudit_read_shadow(chfn_t)
> >> -auth_use_nsswitch(chfn_t)
> >> +auth_use_pam(chfn_t)
> >>  
> >>  # allow checking if a shell is executable
> >>  corecmd_check_exec_shell(chfn_t)
> >> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
> >>  
> >>  term_use_all_terms(passwd_t)
> >>  
> >> -auth_domtrans_chk_passwd(passwd_t)
> >>  auth_manage_shadow(passwd_t)
> >>  auth_relabel_shadow(passwd_t)
> >>  auth_etc_filetrans_shadow(passwd_t)
> >> -auth_use_nsswitch(passwd_t)
> >> +auth_use_pam(passwd_t)
> >>  
> >>  # allow checking if a shell is executable
> >>  corecmd_check_exec_shell(passwd_t)
> >>
> >>
> >>
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> > 
> These tools are doing authentication they are doing the full pam stack
> not just calling getpw, so they need access to the entire pam_stack,

I took passwd from Fedora. So it's not something which applies to any
system in general and Christopher is right.

For example on a stable Debian system with refpolicy I didn't do that
and everything is working fine. But there I am using standard Debian
packages for user management. They are still linked against pam, but
apparently usermanagement does not need that there.

Perhaps it is not possible to generalize here (user management is too
much dependent on the specific system or distribution ?)

Christopher should just drop that. I don't know about every different
distribution. Perhaps they all use different tools.

Regards,

Guido