Re: IDEA: /etc/pam.d/*/*

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jul 25, 2004 at 10:57:39AM +0100, Luke Kenneth Casson Leighton wrote:
> there is a minor issue of inter-dependence of packages that may
> be resolved by applying the usual debian approach of 
> "if-it-was-a-config-file-make-it-a-directory".
> 
> the issue is that Debian has to cater for SELinux being
> installed and not installed.
> 
> openssh, login, kdm, gdm, su and several other packages all
> require "session pam_selinux.so required" to be added to
> their respective /etc/pam.d/XXX configurations in order for
> SE/Linux to operate correctly.
> 
> Redhat is solving the issue by always enabling SE/Linux by
> default.
> 
> Debian has no such luxury.
> 
> therefore, openssh etc. etc. cannot accept upstream patches
> to have /etc/pam.d/ssh include that line by default, because
> if you do, and pam_selinux.so is not installed, you're hosed.

sounds overcomplicated.

how about having debian packages Depend: libpam-selinux | libpam-fakeselinux

where libpam-selinux is the real selinux module, and
libpam-fakeselinux is a fake version which is equivilent to
pam_permit, both packages would conflict with each other and provide
/lib/security/pam_selinux.so

then your packages can just go ahead and include the pam_selinux.so
lines in their config files without worry of things blowing up if
selinux is not in use.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpjWMbOYTNFN.pgp
Description: PGP signature

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux