On Sat, Dec 22, 2018 at 02:58:41AM +0000, Sugar, David wrote: > > On 12/21/18 5:34 AM, Dominick Grift wrote: > > On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote: > >> These are changes needed when pam_fallock created files in /run/faillock > >> (which is labeled faillog_t). sudo and xdm (and probably other domains) > >> will create files in this directory for successful and failed logins > >> attempts. > > The pam stuff has become a bit broken in my view. > > > > We use to use auth_use_pam() for these kinds of things but the interface was forgotten and not updated properly. > > > > So for example sudo does not even call auth_use_pam() and a lot of stuff was added directly to the login_pgm domain that should have been added to auth_use_pam() instead. > > > > My opinion is that this belongs in auth_use_pam() > > Dominick, > > I see those interfaces. It looks like xdm_t already uses > auth_login_pgm_domain(xdm_t). It also isn't really clear to me what the > difference is between auth_login_pgm_domain() and auth_use_pam(). I > will make updates moving my change into auth_use_pam() and also update > sudo_role_template() to use (I think) auth_login_pgm_domain (). sudo is not an auth_login_pgm_domain() i believe the auth_use_pam() is a subset of auth_login_pgm_domain() so login_pgm domains are pam clients plus extras needed to log in users a auth_use_pam() (pam client) has a pam stack but it might not actually do logins sudo uses pam but its not a real login program, so afaik sudo should call auth_use_pam() xdm is a login_pgm, so is sshd etc systemd is also a pam client, but not a login program > > I will resubmit this patch, > > --- snip --- -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
