Daniel J Walsh wrote:
On 07/07/2009 01:16 PM, Joshua Brindle wrote:
Daniel J Walsh wrote:
On 07/07/2009 12:05 PM, Joshua Brindle wrote:
Joshua Brindle wrote:
Daniel J Walsh wrote:
The interface is looking for something that looks like:
*:staff_u:s0
or
sshd:guest_u:s0
login:staff_u:so-s0:c0-c1023
xdm:user_u:so
I don not currently intend this to be edited by a human, the goal
was to
allow tools like IPA or other scripting tools to populate these
files.
The library should return the content as it does, but libselinux or
pam_selinux should deny login if the machine is in enforcing mode.
The
fact that it is giving you a bogus login is a bug in current SELinux.
The : separated list matches seusers and /etc/passwd so I think it
makes
sense. THe file should require all three fields, that is a bug.
Patch merged in libselinux 2.0.84.
Even though I merged this I'm a little concerned about how fragile it
is. For example, I added:
sshd:staff_u:SystemLow
to /etc/selinux/targeted/logins/root
and when I rebooted and logged in I was unconfined_u. The problem was
that mcstrans hadn't been started. The fact that I can essentially get
unconfined access by bringing mcstrans down somehow is _very_
concerning. Granted this only happens if you are using translated
levels
but I think that will be very common in practice (so that the IPA
infrastructure doesn't need to know the label encodings of every
system).
This is badness waiting to happen :\
But the bug here is returning an invalid context. We should return an
error and not let you login.
Are you going to do this or do you need me to?
If you set the flag
REQUIRESEUSERS=1
in /etc/selinux/config. Does it reject the login?
No, log in works fine, with the incorrect context.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
