The default_type functionality is too limited because it assumes that all login programs associate the same type with a given role This is not the case For example: default_type for local_login: joe.role:joe.type default_type for sshd: joe.role:joe_ssh_server.type default_type for cockpit joe.role:joe_cockpit_bridge.type etc So pam_selinux "select_context" can only support a single login program due to this I do not understand why default_type is needed in the first place. The contexts/users/ file is more specific: /etc/selinux/TYPE/contexts/users/joe.user: sys.role:login.type:s0 joe.role:joe.type:s0 joe1.role:joe1.type:s0 sys.role:sshd.type:s0 joe.role:joe_ssh_server.type:s0 joe1.role:joe1_ssh_server.type:s0 sys.role:cockpit_session.subj:s0 joe.role:joe_cockpit_bridge.type:s0 joe1:joe1_cockpit_bridge.type:s0 ie. its already specified that for example joe1.type is default type for joe1.role for local_login and that joe1_ssh_server.type is default type for joe1.role for sshd So unless i am overlooking something, the default_type file is redundant and it actually adds an extra file to configure -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
