-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Russell Coker wrote: > Currently the gdm package in Debian has some degree of SE Linux support (I > haven't yet read the source to see what it does). However it seems that the > pam_selinux.so module is required and that it can't be the last module > (previously I just appended a line to the pam configuration). > > session required pam_selinux.so > session optional pam_gnome_keyring.so auto_start > > The above is part of my /etc/pam.d/gdm file. The SE Linux module needs to be > run before the pam_gnome_keyring.so module so that the daemon it spawns for > the user will get the correct context. > > It seems that we have three broad classes of session modules. Those which > launch no child processes, those which launch system processes (EG automatic > home directory creation), and those which launch user processes (such as a > GNOME keyring). > > Dan, what are you guys doing in Fedora in this regard? Are you integrating SE > Linux support manually in every pam.d file to make sure you get it right? It > seems that any automatic method (such as just appending a line to every one > of a set of files) is not going to work. > > Or have you patched a bunch of PAM modules to call setexeccon(NULL) before > they call exec()? > No we have the pam modules written pretty well. No patching. And we are trying to get rid of all pam modules that exec system processes. pam_oddjob_mkhomedir instead of pam_mkhomedir. consolekit/dbus/policykit instead of pam_console. pam modules doing extremely privileged apps is always a problem. pam_mount for example. pam_namespace. I believe system-config-auth and the defaults all work in Fedora. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv6UUACgkQrlYvE4MpobMiIgCg0cAAhkbsIRVegfvU4qZac5+2 dF0AoOF737Dp2gev+MpJVJL4V12U7UoM =t2qk -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
