From: russell@coker.com.au (Russell Coker)
Date: Sat, 22 Apr 2017 00:23:24 +1000
Subject: [refpolicy] [PATCH] login related stuff take 2
In-Reply-To: <16C6159B-E15B-44E5-AFEC-2FB1FFBA339C@trentalancia.net>
References: <20170421091025.kwn5wmevhmoyidj3@athena.coker.com.au>
	<20170421134201.GC2335@julius>
	<16C6159B-E15B-44E5-AFEC-2FB1FFBA339C@trentalancia.net>
Message-ID: <201704220023.24414.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 21 Apr 2017 11:47:35 PM Guido Trentalancia via refpolicy wrote:
> I confirm that such auth permission is not needed. It uses shadow directly
> and it already has the appropriate auth_read_shadow() interface call!
> 
> I am now checking the details... 

The interface auth_login_pgm_domain() does a lot more than providing PAM 
access.  One could make a case for splitting it into 2 or 3 interfaces that 
perform different subsets of it's operations.  If you think that is the case 
then please submit a patch to the list and we can discuss that.

But I don't think there's much benefit to trying to restrict a domain that can 
launch a shell as sysadm_t or unconfined_t.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/