From: russell@coker.com.au (Russell Coker) Date: Sat, 22 Apr 2017 00:23:24 +1000 Subject: [refpolicy] [PATCH] login related stuff take 2 In-Reply-To: <16C6159B-E15B-44E5-AFEC-2FB1FFBA339C@trentalancia.net> References: <20170421091025.kwn5wmevhmoyidj3@athena.coker.com.au> <20170421134201.GC2335@julius> <16C6159B-E15B-44E5-AFEC-2FB1FFBA339C@trentalancia.net> Message-ID: <201704220023.24414.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 21 Apr 2017 11:47:35 PM Guido Trentalancia via refpolicy wrote: > I confirm that such auth permission is not needed. It uses shadow directly > and it already has the appropriate auth_read_shadow() interface call! > > I am now checking the details... The interface auth_login_pgm_domain() does a lot more than providing PAM access. One could make a case for splitting it into 2 or 3 interfaces that perform different subsets of it's operations. If you think that is the case then please submit a patch to the list and we can discuss that. But I don't think there's much benefit to trying to restrict a domain that can launch a shell as sysadm_t or unconfined_t. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/