From: deleriux@airattack-central.com (Matthew Ife) Date: Wed, 06 Jul 2011 19:24:04 +0100 Subject: [refpolicy] [Fwd: SSSD Local Auth and SELinux support] In-Reply-To: <4E1467C9.2090403@tresys.com> References: <1309897035.29086.4.camel@home.localdomain> <4E1467C9.2090403@tresys.com> Message-ID: <1309976645.27109.9.camel@home.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2011-07-06 at 09:48 -0400, Christopher J. PeBenito wrote: > On 07/05/11 16:17, Matthew Ife wrote: > > This is an email I forwarded to the F15 selinux policy mailing list. > > > > As suggested, I forward the email and the attached patch which attempts > > to resolve what I discussed. > > > > If you have any questions please let me know. This was a patch applied > > to refpolicy. > If we're looking to go down this road, then we have to consider other > sources of authentication, such as nis, kerberos, and samba/winbind. That has also crossed my mind as being a useful idea. > This may cause problems with package managers trying to > install/initialize the database for the first time, which is a concern. > Potentially and that would need to be tested for. SSSD doesnt need it as it generates the the files it needs upon startup. The worst case scenario here is we give the types that need it the access needed for package managers to do what they need to. I do not think it would be a good idea to do all things we want to label as auth files in one fell swoop, big services like winbind and kerberos need testing for at least the majority of use-cases. > There are a few problems (see inline): ... ... > > init_use_fds(sxid_t) > > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > > index ff006ea..e1cd45f 100644 > > --- a/policy/modules/kernel/files.if > > +++ b/policy/modules/kernel/files.if > > @@ -49,6 +49,7 @@ > > ##
> > +## Make the specified type an authentication file. > > +## This will also make the type usable for security files, making > > +## calls to files_security_file() redundant. > > +##
> > +##