-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One of the oldest bugs/wacki things about SELinux is what happens when a login program can not calculate a login context. Right now we have an open bug on confined users. Basically if you setup a confined user guest_u and attempt to login to that user via xdm_t, you get a context of guest_u:guest_r:oddjob_mkhomedir_t:s0 selinuxdefcon pwalsh system_u:system_r:xdm_t:s0 guest_u:guest_r:oddjob_mkhomedir_t:s0 Yech. This could be considered a security hole, but it is definitely broken. I have been looking at the libselinux code but this is actually expected behavior, and I am not eager to fix it, since it might break peoples expectations. Eric suggested that we might want to move the problem out of libselinux and make this a login program problem. Make the login programs pam_selinux a userspace manager. After libselinux returns a context to pam_selinux it would check for the following allow rule. allow logindomain userdomain:login entrypoint; Then pam_namespace would check if xdm_t is allowed a login entry point into oddjob_mkhomedir_t, if no, blow up the login. Comments? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk9Ojt8ACgkQrlYvE4MpobO3qQCXUS4MjJWZf1BFDWN6U7SssAL6 3gCgtKYcOb9+9A/A+GW1cwiKaR58CZY= =Cm5O -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
