On Mon, 2007-06-04 at 12:10 -0500, Klaus Weidner wrote: > On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote: > > I've implemented some enhancements for pam_namespace which can be used > > for temporary logons. These enhancements were proposed by Dan Walsh. > > Please review if you're interested. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 > > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825 > > I like the functionality, but I'm starting to think that pam_namespace > may get too complex if too many special cases get added. Rather than > implementing a complex ad-hoc language for the namespace conf file, would > it make sense to provide the option of calling an external script, giving > it username and context etc. as arguments, and using its output as a list > of namespace configurations? > > That way, you could keep policy decisions in the script. That would help just with the ~xguest part of the enhancements but this change is really simple and doesn't affect much of the code. However the temp dir part must be handled in the module directly. The only change could be instead of calling 'rm -rf' directly to call something like namespace.remove script. But as the only logical thing is to remove the temporary directory anyway I don't think it is worth the hassle. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
