On 12/21/18 5:34 AM, Dominick Grift wrote: > On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote: >> These are changes needed when pam_fallock created files in /run/faillock >> (which is labeled faillog_t). sudo and xdm (and probably other domains) >> will create files in this directory for successful and failed logins >> attempts. > The pam stuff has become a bit broken in my view. > > We use to use auth_use_pam() for these kinds of things but the interface was forgotten and not updated properly. > > So for example sudo does not even call auth_use_pam() and a lot of stuff was added directly to the login_pgm domain that should have been added to auth_use_pam() instead. > > My opinion is that this belongs in auth_use_pam() Dominick, I see those interfaces. It looks like xdm_t already uses auth_login_pgm_domain(xdm_t). It also isn't really clear to me what the difference is between auth_login_pgm_domain() and auth_use_pam(). I will make updates moving my change into auth_use_pam() and also update sudo_role_template() to use (I think) auth_login_pgm_domain (). I will resubmit this patch, --- snip ---
