Re: Review of yubikey selinux policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/27/2014 11:05 PM, William Brown wrote:
Hi,

The current policy for yubikeys only takes into account the otp
functions. In addition, the pam module supports a local challenge
response mode. 

I have attached a patch to allow chap to work for yubikeys with selinux
enabled. To note is that I have added a auth_home_rw_t type, as the pam
module reads from ~/.yubico/challenge-<tokenid> and then rewrites it
with a new challenge after the attempt. 

I would like to especially ask that the section for the chap tunable
policy be reviewed. In my testing, it seemed that login_pgm wasn't
sufficient, as staff_sudo_t didn't seem to be covered by this which is
why I have added the sudodomain components. I would like to know if
there is a better way to resolve this. 

Sincerely,



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Looks OK. Basically we can place the boolean also to the sudo policy module.

Could we stay only with  "authlogin_yubikey" boolean?


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux