dear pam developers, long time no post: last time i was on this list it was about pam_ntdom and pam_smb, like 5 years ago, almost. anyway, i'm back, and this time it's about SE/Linux. http://www.nsa.gov/selinux no doubt you are aware of SE/Linux, devised by the NSA to alleviate some concerns about GNU/Linux being used unmodified and therefore in their mind insecure in various US government departments and services (the public ones not the scary ones). the NSA has created a number of patches to various user-space programs - pam is one of them. a number of distros are beginning to pick these up: Redhat's Fedora Core 2 is now distributed with SE/Linux *enabled* by default. Russell Coker is now maintaining some separate patches to PAM for Debian - separate from the debian mainstream distribution. ... it's not by choice, but by necessity! basically, what i would ask you to consider, is to evaluate the patches to PAM, because there are several packages, such as login, openssh etc. which depend critically for successful operation on the SELinux PAM functionality. and without that functionality being in place upstream, some of the other package maintainers are not accepting the SELinux patches because if they do, things will break. so, although you're not _quite_ at the bottom of the dependency tree, it's pretty darn close :) :) one of the most common concerns about the acceptance of the SELinux package patches is "will it break things for non-selinux systems?" the answer to that one is a most definite "no, it will NOT break anything". the reason is because, as you can see from the patches (available from several sources but probably the most convenient place to obtain the is via: http://www.nsa.gov/selinux/code/download5.cfm) of the use of "is_selinux_enabled()" and if this indicates that selinux is not enabled, then things like PAM_SUCCESS get returned, etc. also for your convenience here is one of the debian bugs that references the pam_unix patch, i can't find one for the pam_selinux patch unless i missed it. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=249499 thank you, l. -- -- expecting email to be received and understood is a bit like picking up the telephone and immediately dialing without checking for a dial-tone; speaking immediately without listening for either an answer or ring-tone; hanging up immediately and believing that you have actually started a conversation. -- <a href="http://lkcl.net";> lkcl.net </a> <br /> <a href="mailto:lkcl@xxxxxxxx";> lkcl@xxxxxxxx </a> <br /> _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
