-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support custom login programs #77
Comments
On Wed, Aug 28, 2019 at 06:58:14AM -0700, Demi Marie Obenour wrote:
Currently, there is no good way for third-party domains to log users in with `pam_selinux.so`.
Can you explain what the pain points in your opinion are and maybe suggest possible solutions to address this?
…
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#77
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
|
@doverride If I implement my own login program and give it its own type (say |
On Wed, Aug 28, 2019 at 07:30:27AM -0700, Demi Marie Obenour wrote:
@doverride If I implement my own login program and give it its own type (say `demi_login_t`), `pam_selinux` does not assign the proper MCS contexts. I believe that the problem is the `*_default_contexts` files.
Yes, I agree. I've been thinking about the drop-in directory model here
where for example you have /etc/selinux/TYPE/contexts/users/user_u.d/override.conf (kind of similar to systemd overrides)
That way you can just add overrides and append or replace existing context configurations. (this would have to be addressed in SELinux User space though)
The same would have to apply to default_context and default_type
That reminds me by the way that the whole default_type idea should probably be scrutinized and that pam_selinux uses it in some places where i suspect it shouldnt.
Regardless though, this is something that would have to be addressed in SELinux user space. Probably best to start a discussion on the selinux maillist.
But i do agree, this is an area that could probably be improved in my view.
…
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#77 (comment)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
|
You would need to add lines to the If you would like to change how the default_context files are processed, or add new processing for login, then the SELinux userspace project is where that should be discussed. The selinux mail list would be better for that discussion. Then refpolicy would adapt to the new methods as necessary. |
Currently, there is no good way for third-party domains to log users in with
pam_selinux.so
.The text was updated successfully, but these errors were encountered: