On 12/21/18 9:58 PM, Sugar, David wrote:
On 12/21/18 5:34 AM, Dominick Grift wrote:
On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote:
These are changes needed when pam_fallock created files in /run/faillock
(which is labeled faillog_t). sudo and xdm (and probably other domains)
will create files in this directory for successful and failed logins
attempts.
The pam stuff has become a bit broken in my view.
We use to use auth_use_pam() for these kinds of things but the interface was forgotten and not updated properly.
So for example sudo does not even call auth_use_pam() and a lot of stuff was added directly to the login_pgm domain that should have been added to auth_use_pam() instead.
My opinion is that this belongs in auth_use_pam()
Dominick,
I see those interfaces. It looks like xdm_t already uses
auth_login_pgm_domain(xdm_t). It also isn't really clear to me what the
difference is between auth_login_pgm_domain() and auth_use_pam().
It's a little muddy, but a "login" domain is as it seems; authentication
for login programs. The "use" one is other uses of PAM.
--
Chris PeBenito