On 07/07/2009 12:05 PM, Joshua Brindle wrote:
Joshua Brindle wrote:
Daniel J Walsh wrote:
The interface is looking for something that looks like:
*:staff_u:s0
or
sshd:guest_u:s0
login:staff_u:so-s0:c0-c1023
xdm:user_u:so
I don not currently intend this to be edited by a human, the goal was to
allow tools like IPA or other scripting tools to populate these files.
The library should return the content as it does, but libselinux or
pam_selinux should deny login if the machine is in enforcing mode. The
fact that it is giving you a bogus login is a bug in current SELinux.
The : separated list matches seusers and /etc/passwd so I think it
makes
sense. THe file should require all three fields, that is a bug.
Patch merged in libselinux 2.0.84.
Even though I merged this I'm a little concerned about how fragile it
is. For example, I added:
sshd:staff_u:SystemLow
to /etc/selinux/targeted/logins/root
and when I rebooted and logged in I was unconfined_u. The problem was
that mcstrans hadn't been started. The fact that I can essentially get
unconfined access by bringing mcstrans down somehow is _very_
concerning. Granted this only happens if you are using translated levels
but I think that will be very common in practice (so that the IPA
infrastructure doesn't need to know the label encodings of every system).
This is badness waiting to happen :\
But the bug here is returning an invalid context. We should return an
error and not let you login.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
