Re: newrole in the background

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Reed, Tim (US SSA) wrote:

I have made my modifications to newrole.  Is there any testcases or
documentation on what needs to be tested before submitting a patch?
With the minimal testing that I have done everything appears to be
working correctly.

Attached is the patch file.  Please review and comment.

Thanks!
Tim


-----Original Message-----
From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Tuesday, December 11, 2007 1:18 PM 
To: Xavier Toth
Cc: Reed, Tim (US SSA); selinux@xxxxxxxxxxxxx
Subject: Re: newrole in the background

On Tue, 2007-12-11 at 10:06 -0600, Xavier Toth wrote:

We ended up creating a variant of newrole which doesn't require tty
access. We did this to run some of our applications in the background
but still get newroles ability to set the context/level of the child
and to create a pam session for polyinstantiation. For this to work we
had to configure our apps into our variants equivalent of
/etc/selinux/newrole_pam.conf and provide corresponding /etc/pam.d
files which typically look like :
#%PAM-1.0
auth       required     pam_permit.so
account    required     pam_permit.so
password   required     pam_permit.so
session    required     pam_mkpolydir.so debug
session    required     pam_namespace.so unmnt_remnt
no_unmount_on_close gen_hash ignore_instance_parent_mode debug

This variant was based on a Fedora policysoreutils source rpm because
the RHEL5 version doesn't contain the code to map applications to
/etc/pam.d files using /etc/selinux/newrole_pam.conf.


As a workaround, you could certainly create a pty in your application
and use that for newrole - that woudl let you use newrole unmodified.

As a longer term solution, I'd suggest making a patch for newrole that
allows it to gracefully function even in the absence of a tty, and get
that upstreamed, so that you can use newrole as is.
What happens if a command passed as an argument has a pam configuration that requires a password to be entered? 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux