Differences between openssh and pam_selinux

Tomas Mraz tmraz at redhat.com
Thu May 15 17:11:54 UTC 2008 

There are some differences in how openssh and pam_selinux get the user's
context. As I want to replace part of the openssh's SELinux code with
pam_selinux I'd like to know which one is more correct.

Here's the rough algorithm for both:

OpenSSH
=======

1. get selinux user & default level with getseuserbyname()
2. obtain default ctx with get_default_context_with_level()
3. obtain requested ctx for requested level with
get_default_context_with_level()
4. set requested role to the requested ctx
5. set type for the requested role to the requested ctx (obtained from
get_default_type(requested role))
6. copy the requested ctx and set the requested level in the copy
7. compare the requested ctx with the copy - if not equal -> fail
8. do the points 3. - 7. with the difference that the default level is
used instead of requested level
9. do security_compute_av with CONTEXT__CONTAINS to check whether the
context from 7. is allowed for context from 8. if not allowed -> fail
10. use the context from 7. as the user's context.

pam_selinux
===========

1. get selinux user & default level with getseuserbyname()
2. use get_ordered_context_list_with_level() to obtain list of context
for the user & level, as the default user's context is taken the first
one on the list
3. if this fails:
3a.  the level and role is obtained from user and combined into a
context with default type for the role and the selinux user
3b.  this ctx is checked with security_check_context() - if fails ->
fail else we have the user's context -> end
4. if 2. succeeds and module is configured to allow asking user for
role/level then user is asked for requested role and level
5. the requested ctx starts as copy of the default ctx
6. the requested role is set to requested ctx, requested level is set
and the default type (get_default_type()) for the requested role is set
7. the requested ctx is checked with security_check_context() - if fails
-> fail
8. do security_compute_av with CONTEXT__CONTAINS to check whether the
context from 7. is allowed for default context if not allowed -> fail
9. use the context from 7. as the user's context.

So which one is correct if any?
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the fedora-selinux-list mailing list