On Fri, Oct 21, 2005 at 06:09:21PM +0200, Christian Perrier wrote: > > Oh, that's not needed. SElinux uses PAM to mediate access to > > the password (there is a SELinux PAM module now). So, people who want > > to enable SELinux on their machine have to do something like so: > > ,----[ Add SELinux capability to the system ] > > | if ! grep pam_selinux.so /etc/pam.d/login >& /dev/null; then > > | echo "" >> /etc/pam.d/login > > | echo "session required pam_selinux.so multiple" >> /etc/pam.d/login > > | echo "" >> /etc/pam.d/login > > | fi > > `---- > We could maybe provide this (commented) in /etc/pam.d/login....or, > maybe better, this could go (still commented) in > /etc/pam.d/common-session. > Could you point me (and possibly other readers) to "not too deeply > technical" doc about SELinux? After all, talking of something without > actually really knowing it is pretty hard..:-) Could someone first test whether putting this in common-session works right for all services? This seems like an opportune time for someone to write a config interface for /etc/pam.d/common-*, so that we have a generally useful means of enabling other PAM modules as well. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature