-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2010 10:06 PM, Mr Dash Four wrote: > >> Reference: >> http://lists.fedoraproject.org/pipermail/selinux/2010-December/013294.html >> >> >> This may be more appropriate if other login programs need this as well. >> >> Signed-off-by: Dominick Grift <domg472@xxxxxxxxx> >> --- >> :100644 100644 6521109... ceadd00... M >> policy/modules/system/authlogin.if >> policy/modules/system/authlogin.if | 6 ++++++ >> 1 files changed, 6 insertions(+), 0 deletions(-) >> >> diff --git a/policy/modules/system/authlogin.if >> b/policy/modules/system/authlogin.if >> index 6521109..ceadd00 100644 >> --- a/policy/modules/system/authlogin.if >> +++ b/policy/modules/system/authlogin.if >> @@ -189,6 +189,12 @@ interface(`auth_login_pgm_domain',` >> ') >> >> optional_policy(` >> + openct_stream_connect($1) >> + openct_signull($1) >> + openct_read_pid_files($1) >> + ') >> + >> + optional_policy(` >> corecmd_exec_bin($1) >> storage_getattr_fixed_disk_dev($1) >> mount_domtrans($1) >> > Would that work? Would you not get out-of-scope error referencing a > 'module' from a 'base' module? > Bug submitted - https://bugzilla.redhat.com/show_bug.cgi?id=660147 In theory that would work since the policy is wrapped in a optional_policy block. To be honest these modules (authlogin and locallogin) should not be in base in the first place. I dont have them in base in my personal policy either: [root@localhost Desktop]$ semodule -l | grep authlogin authlogin 2.2.0 [root@localhost Desktop]$ semodule -l | grep locallogin locallogin 1.10.0 Stuffing everything in base just to work around some issue that should be handled more appropriately is a bad idea in my opinion. If this patch does not work then not much else will work and policy is fundamentally broken. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz8AAkACgkQMlxVo39jgT8gfgCeK8OKbM/TVcRGlgs3zABS80be tUYAoK79EOffIsGDpYQgZWcqPblqXopo =CWQK -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux