-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/13/2013 06:04 AM, Dominick Grift wrote: > On Tue, 2013-11-12 at 19:20 +0100, Dominick Grift wrote: > >> Also i cant get sepermit to work on Fedora 19 ( at least not with sshd >> (thats all i tried) >> >> even if i add the debug option to sepermit.so it still does not log a >> thing and my confined admin is able to login in permissive mode :( >> > > I tried it again, and it just seems messy. In /etc/pam.d/gdm-password > "pam_selinux-permit.so" i called, while everywhere else (including the man > page) its "pam_sepermit.so" > > No matter what i try though, i cannot get it to work for sshd at least > > Not sure if related to sepermit, but i was able to login without a password > in gdm when i had just the usename added to /etc/security/sepermit.conf (no > ":exclusive" appended) > > So if it was sepermit allowing the user to login w/o a password then i > think that is probably wrong becuase AFAIK you need :exclusive to allow > password less logins. > > None the less, things do not work for sshd, no matter what i trie, and its > not giving me any feedback even if i append debug. > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > pam_sepermit requires no processes of the same label to be running. IE If there is a xguest_t process running pam_sepermit will require a password for someone logging in as xguest_t. We usually only allow console login with pam_sepermit, since it was designed for the kiosk/xguest use case. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKDhZQACgkQrlYvE4MpobOLawCfRk0b8u8jmf3SAi6oegF4AMs1 eXcAn3vDHll+eOPg+hDEk0x1DWJKzj2f =AX2X -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
