Re: avc: smartcard token login

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2010 10:06 PM, Mr Dash Four wrote:
> 
>> Reference:
>> http://lists.fedoraproject.org/pipermail/selinux/2010-December/013294.html
>>
>>
>> This may be more appropriate if other login programs need this as well.
>>
>> Signed-off-by: Dominick Grift <domg472@xxxxxxxxx>
>> ---
>> :100644 100644 6521109... ceadd00... M   
>> policy/modules/system/authlogin.if
>>  policy/modules/system/authlogin.if |    6 ++++++
>>  1 files changed, 6 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/system/authlogin.if
>> b/policy/modules/system/authlogin.if
>> index 6521109..ceadd00 100644
>> --- a/policy/modules/system/authlogin.if
>> +++ b/policy/modules/system/authlogin.if
>> @@ -189,6 +189,12 @@ interface(`auth_login_pgm_domain',`
>>      ')
>>  
>>      optional_policy(`
>> +        openct_stream_connect($1)
>> +        openct_signull($1)
>> +        openct_read_pid_files($1)
>> +    ')
>> +
>> +    optional_policy(`
>>          corecmd_exec_bin($1)
>>          storage_getattr_fixed_disk_dev($1)
>>          mount_domtrans($1)
>>   
> Would that work? Would you not get out-of-scope error referencing a
> 'module' from a 'base' module?
> Bug submitted - https://bugzilla.redhat.com/show_bug.cgi?id=660147

In theory that would work since the policy is wrapped in a
optional_policy block.

To be honest these modules (authlogin and locallogin) should not be in
base in the first place.

I dont have them in base in my personal policy either:

[root@localhost Desktop]$ semodule -l | grep authlogin
authlogin	2.2.0	
[root@localhost Desktop]$ semodule -l | grep locallogin
locallogin	1.10.0	

Stuffing everything in base just to work around some issue that should
be handled more appropriately is a bad idea in my opinion.

If this patch does not work then not much else will work and policy is
fundamentally broken.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz8AAkACgkQMlxVo39jgT8gfgCeK8OKbM/TVcRGlgs3zABS80be
tUYAoK79EOffIsGDpYQgZWcqPblqXopo
=CWQK
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux