On 05/06/2014 01:46 PM, Laurent Bigonville wrote: > Hello, > > I was wondering, is there a list of pam modules that need to be called > between pam_selinux close/open? > > On Fedora I see pam_loginuid, but are there other modules that must be > in between, or can all the other modules be after the "pam_selinux > open" one? > > Cheers, > > Laurent Bigonville > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > No, only thing that should not be called after pam_selinux open is an app that wants to run a priv command. pam_selinux open is setting the user context, so any apps that are executed after the open will be executed in the users context, Any app that is executed before the open will be executed as the context of the login program. pam_selinux will also change the labels on ttys. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
