On Wed, 2012-02-29 at 15:47 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > One of the oldest bugs/wacki things about SELinux is what happens when > a login program can not calculate a login context. > > Right now we have an open bug on confined users. Basically if you > setup a confined user guest_u and attempt to login to that user via > xdm_t, you get a context of guest_u:guest_r:oddjob_mkhomedir_t:s0 > > selinuxdefcon pwalsh system_u:system_r:xdm_t:s0 > guest_u:guest_r:oddjob_mkhomedir_t:s0 > > Yech. > > This could be considered a security hole, but it is definitely broken. > I have been looking at the libselinux code but this is actually > expected behavior, and I am not eager to fix it, since it might break > peoples expectations. > > Eric suggested that we might want to move the problem out of > libselinux and make this a login program problem. Make the login > programs pam_selinux a userspace manager. > > After libselinux returns a context to pam_selinux it would check for > the following allow rule. > > allow logindomain userdomain:login entrypoint; > > Then pam_namespace would check if xdm_t is allowed a login entry point > into oddjob_mkhomedir_t, if no, blow up the login. > > Comments? Last time we discussed this, I thought we agreed to migrate away from the current usage of security_compute_user (/selinux/user) altogether within libselinux, and replace it with a simpler userspace configuration and logic for determining user roles and levels. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
