Joshua Brindle wrote:
Daniel J Walsh wrote:
The interface is looking for something that looks like:
*:staff_u:s0
or
sshd:guest_u:s0
login:staff_u:so-s0:c0-c1023
xdm:user_u:so
I don not currently intend this to be edited by a human, the goal was to
allow tools like IPA or other scripting tools to populate these files.
The library should return the content as it does, but libselinux or
pam_selinux should deny login if the machine is in enforcing mode. The
fact that it is giving you a bogus login is a bug in current SELinux.
The : separated list matches seusers and /etc/passwd so I think it
makes
sense. THe file should require all three fields, that is a bug.
Patch merged in libselinux 2.0.84.
Even though I merged this I'm a little concerned about how fragile it is. For
example, I added:
sshd:staff_u:SystemLow
to /etc/selinux/targeted/logins/root
and when I rebooted and logged in I was unconfined_u. The problem was that
mcstrans hadn't been started. The fact that I can essentially get unconfined
access by bringing mcstrans down somehow is _very_ concerning. Granted this only
happens if you are using translated levels but I think that will be very common
in practice (so that the IPA infrastructure doesn't need to know the label
encodings of every system).
This is badness waiting to happen :\
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
