From tmraz at redhat.com Fri Jun 1 07:47:17 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Fri, 01 Jun 2007 09:47:17 +0200 Subject: [redhat-lspp] Some enhancements for pam_namespace Message-ID: <1180684037.28908.9.camel@perun.kabelta.loc> I've implemented some enhancements for pam_namespace which can be used for temporary logons. These enhancements were proposed by Dan Walsh. Please review if you're interested. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825 -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From sgrubb at redhat.com Sun Jun 3 13:50:45 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Sun, 3 Jun 2007 09:50:45 -0400 Subject: [redhat-lspp] Multi-level GUI for selinux? In-Reply-To: <64B9BEB4F544624B9D59DB6F61E2E65417628D@AZ25EXM03.gddsi.com> References: <64B9BEB4F544624B9D59DB6F61E2E65417628D@AZ25EXM03.gddsi.com> Message-ID: <200706030950.45583.sgrubb@redhat.com> On Thursday 31 May 2007 15:24:02 Segura, John-P59285 wrote: > Are there any plans for a multi-level GUI/desktop for selinux? That's a good question. I would say that for RHEL5 its not very likely. I'd say for RHEL6, it depends on the level of interest from the community and how many people help. I think several people are working on getting everything in place to make it happen and I'm sure they could use help. Most of that work is being coordinated on the NSA SE Linux mail list. -Steve From klaus at atsec.com Mon Jun 4 17:10:37 2007 From: klaus at atsec.com (Klaus Weidner) Date: Mon, 4 Jun 2007 12:10:37 -0500 Subject: [redhat-lspp] Some enhancements for pam_namespace In-Reply-To: <1180684037.28908.9.camel@perun.kabelta.loc> References: <1180684037.28908.9.camel@perun.kabelta.loc> Message-ID: <20070604171037.GB2040@w-m-p.com> On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote: > I've implemented some enhancements for pam_namespace which can be used > for temporary logons. These enhancements were proposed by Dan Walsh. > Please review if you're interested. > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825 I like the functionality, but I'm starting to think that pam_namespace may get too complex if too many special cases get added. Rather than implementing a complex ad-hoc language for the namespace conf file, would it make sense to provide the option of calling an external script, giving it username and context etc. as arguments, and using its output as a list of namespace configurations? That way, you could keep policy decisions in the script. -Klaus From tmraz at redhat.com Tue Jun 5 07:38:08 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Tue, 05 Jun 2007 09:38:08 +0200 Subject: [redhat-lspp] Some enhancements for pam_namespace In-Reply-To: <20070604171037.GB2040@w-m-p.com> References: <1180684037.28908.9.camel@perun.kabelta.loc> <20070604171037.GB2040@w-m-p.com> Message-ID: <1181029088.2506.11.camel@perun.kabelta.loc> On Mon, 2007-06-04 at 12:10 -0500, Klaus Weidner wrote: > On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote: > > I've implemented some enhancements for pam_namespace which can be used > > for temporary logons. These enhancements were proposed by Dan Walsh. > > Please review if you're interested. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 > > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825 > > I like the functionality, but I'm starting to think that pam_namespace > may get too complex if too many special cases get added. Rather than > implementing a complex ad-hoc language for the namespace conf file, would > it make sense to provide the option of calling an external script, giving > it username and context etc. as arguments, and using its output as a list > of namespace configurations? > > That way, you could keep policy decisions in the script. That would help just with the ~xguest part of the enhancements but this change is really simple and doesn't affect much of the code. However the temp dir part must be handled in the module directly. The only change could be instead of calling 'rm -rf' directly to call something like namespace.remove script. But as the only logical thing is to remove the temporary directory anyway I don't think it is worth the hassle. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb