rpms/pam_ssh/F-8 pam_ssh.te,NONE,1.1 pam_ssh.spec,1.13,1.14

Martin Ebourne lists at ebourne.me.uk
Tue Nov 27 21:27:25 UTC 2007

On Mon, 26 Nov 2007 10:27:30 -0500, Jeremy Katz wrote:
> On Mon, 2007-11-26 at 16:54 +0300, Dmitry Butskoy wrote:
>> But if the user will decide to use SELinux (install all needed
>> packages) later? Then it should re-install pam_ssh to activate its
>> policies...
> This is one of the (many) reasons why it's currently better to get
> policy into the main selinux-policy package rather than trying to do
> hacks to carry policy in the package.

This is bad. It's clearly not workable to have all policy in the one 
centrally maintained cathedral-like package. It's important to be allow 
packages to have their own specific policy and we should be trying to fix 
anything that prevents this.

In this case for instance it is necessary to grant pam extra permissions 
which are not needed except for pam_ssh. Of course, good security policy 
is always to give least permissions and that is being violated here for 
everyone who doesn't use pam_ssh.

In the absence of an ability for selinux to know if pam_ssh is configured 
then at least having the policy in the module would only activate it if 
pam_ssh was installed.



More information about the fedora-devel-list mailing list