pam_selinux requirements are generally pretty simple: its used to associate a context with a login shell. With systemd things have becomes a bit more complicated. systemd uses pam_selinux to associate a context with both a login shell (via container-shell@.service) as well as with a systemd --user instance. Ideally one would not associate a login shell context with a systemd --user instance because a systemd --user instance needs permissions that do not make sense for a login shell to have. I am not aware of any way to make pam_selinux associate a context based on variable like for example: if its a login shell then associate this context , and if its a systemd --user instance then associate that context This is an issue for me currently because if users are allowed to "host-shell" (machinectl shell .host) then they are able to open a shell with the context of the systemd --user instance and escape their shell restrictions For now I can just block host-shell access with polkit but I am trying to figure out what it would take to address this challenge with pam_selinux -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
