I have made my modifications to newrole. Is there any testcases or documentation on what needs to be tested before submitting a patch? With the minimal testing that I have done everything appears to be working correctly. Attached is the patch file. Please review and comment. Thanks! Tim -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Tuesday, December 11, 2007 1:18 PM To: Xavier Toth Cc: Reed, Tim (US SSA); selinux@xxxxxxxxxxxxx Subject: Re: newrole in the background On Tue, 2007-12-11 at 10:06 -0600, Xavier Toth wrote: > We ended up creating a variant of newrole which doesn't require tty > access. We did this to run some of our applications in the background > but still get newroles ability to set the context/level of the child > and to create a pam session for polyinstantiation. For this to work we > had to configure our apps into our variants equivalent of > /etc/selinux/newrole_pam.conf and provide corresponding /etc/pam.d > files which typically look like : > #%PAM-1.0 > auth required pam_permit.so > account required pam_permit.so > password required pam_permit.so > session required pam_mkpolydir.so debug > session required pam_namespace.so unmnt_remnt > no_unmount_on_close gen_hash ignore_instance_parent_mode debug > > This variant was based on a Fedora policysoreutils source rpm because > the RHEL5 version doesn't contain the code to map applications to > /etc/pam.d files using /etc/selinux/newrole_pam.conf. As a workaround, you could certainly create a pty in your application and use that for newrole - that woudl let you use newrole unmodified. As a longer term solution, I'd suggest making a patch for newrole that allows it to gracefully function even in the absence of a tty, and get that upstreamed, so that you can use newrole as is. -- Stephen Smalley National Security Agency
Attachment:
newrole_no_tty.patch
Description: newrole_no_tty.patch
