|
On 03/27/2014 11:05 PM, William Brown
wrote:
Looks OK. Basically we can place the boolean also to the sudo policy module.Hi, The current policy for yubikeys only takes into account the otp functions. In addition, the pam module supports a local challenge response mode. I have attached a patch to allow chap to work for yubikeys with selinux enabled. To note is that I have added a auth_home_rw_t type, as the pam module reads from ~/.yubico/challenge-<tokenid> and then rewrites it with a new challenge after the attempt. I would like to especially ask that the section for the chap tunable policy be reviewed. In my testing, it seemed that login_pgm wasn't sufficient, as staff_sudo_t didn't seem to be covered by this which is why I have added the sudodomain components. I would like to know if there is a better way to resolve this. Sincerely, Could we stay only with "authlogin_yubikey" boolean? |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
