[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The possibility of SELinux targeted policy in the default install

On Fri, Sep 15, 2006 at 10:59:07AM +0200, Erich Schubert wrote:
> Hello Steve,
> > Could you remind me why this module is specific to /etc/pam.d/ssh and
> > /etc/pam.d/login, rather than something that should be enabled in the global
> > config?

> AFAIK it's because login and ssh are interactive sessions. These might
> be using different contexts (e.g. sysadm_r, staff_r, user_r), whereas
> when logging into the imap server this differentiation is not necessary.
> (well, I could imagine we would need it in courier and dovecot when
> storing the mail in the users home folder?)
> We definitely need some selinux wizard for that.

Ok.  What about cron, su, *dm, sudo, samba, ftp servers...?  All of these
processes change uids as well after authentication, do they also need
selinux support?

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: