[redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole
James Antill
james.antill at redhat.com
Tue Oct 31 19:53:55 UTC 2006
On Tue, 2006-10-24 at 19:19 -0500, George C. Wilson wrote:
> On Tue, Oct 24, 2006 at 04:37:16PM -0400, James Antill wrote:
> > On Mon, 2006-10-23 at 12:14 -0400, James Antill wrote:
> > > On Thu, 2006-10-19 at 09:30 -0400, Stephen Smalley wrote:
> > > > pam_selinux used to have support to let the user pick from the list of
> > > > reachable contexts for the user. So you could just restore that
> > > > support.
> > >
> > > So, in summary of the discussion, having pam_selinux let the user pick
> > > the TE and Sensitivity separately (much as it does now if
> > > get_ordered_context_list_with_level() fails) is the valid approach?
> >
> > Ok, I've done a patch to PAM which which adds a config_role option to
> > the pam_selinux module ... which if turned on takes the users default
> > context and allows them to change the role and/or level (if mls is
> > enabled). Entering a blank line sticks with the default.
> >
> > It's available from:
> >
> > http://people.redhat.com/jantill/pam-config_role/
> >
> > ...the rpms there have been built on FC5.
> >
>
> Thanks, James. I got it built on a ppc64 victim. Hopefully Klaus can take a
> quick look to see if it will work for the cert.
Ok, here are some rpms which should be very close to what we'd have for
LSPP.
http://people.redhat.com/jantill/pam-config_role/
Note that if you rebuild for ppc you'll need to install the libselinux
rpm before building the pam one. Also selinux-policy will only build on
FC-6, due to policy-coreutils deps.
The libselinux and policy changes will probably get into FC6/etc. as
soon as Stephen has signed off on them going upstream. The PAM changes
need to be merged with other PAM work ongoing atm. and will require
Klaus/you/etc. saying they solve this problem.
--
James Antill - <james.antill at redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061031/6a7d6b42/attachment.sig>
More information about the redhat-lspp
mailing list