changing of sulogin for SELinux roles?
Bill Nottingham
notting at redhat.com
Wed Sep 21 20:32:16 UTC 2005
Stephen Smalley (sds at tycho.nsa.gov) said:
> On Wed, 2005-09-21 at 16:13 -0400, Bill Nottingham wrote:
> > There's an open bug for changing sulogin to handle multiple
> > accounts with uid 0. Wouldn't it also be useful to change
> > it to check roles as well (for strict policy)?
>
> Can you elaborate a little, or point to the bugzilla entry?
135154/168982. Basically, it currently only authenticates
as 'root', while the suggestion was to allow it to authenticate
as any user who has uid 0, even if that's not 'root'.
> It presently just uses the default context for "root" from sulogin's
> domain, where the default can be altered via the default_contexts
> configuration. Were you thinking of having it allow the user to select
> a context if multiple contexts are returned like pam_selinux does?
That's one option. What I initially thought was that, if you
have multiple users who are sysadm_r (or whatever), that it would
allow you to authenticate as any of them.
Bill
More information about the fedora-selinux-list
mailing list