Christopher J. PeBenito wrote: > On Fri, 2008-07-18 at 13:42 -0400, Daniel J Walsh wrote: >> Mike Edenfield wrote: >>> I apologize if I'm not doing this right, I'm kinda new at this... >>> >>> I have made some changes to the SELinux policy for our intranet servers >>> that I thought might be useful to a broader audience. Included below is >>> a patch to the latest refpolicy. This has been tested on the Gentoo >>> systems we have here; I don't have easy access to other SELinux systems >>> at the moment. It does the following: > [...] >>> * Adds a tunable that lets samba create home directories via pam_mkhomedir > >> Could you do this with pam_oddjob_mkhomedir without having to add the >> privs. I think this is a better solution. > > What if you don't have oddjob? It doesn't hurt to have the perms in a > tunable. It could be put in a ifndef distro_redhat, if samba in > fedora/rh requires pam_oddjob_mkhomedir. > I have more of a problem with pam_mkhomedir from login programs since samba can currently read/write homedirs with a boolean. It is not as big a deal. oddjob just breaks things out the way SELinux likes it. Pam modure requests a service create a homedir. Service execs a job to create the homedir. Each process gets a different context. gentoo should look into it. But I am fine with adding the patch. pam_mkhomedir does not work well currently with ssh, locallogin, gdm on Fedora platform. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
