[Pkg-shadow-devel] Bug#387480: Please add commented pam_selinux line

Manoj Srivastava srivasta at golden-gryphon.com
Fri Sep 15 15:02:14 UTC 2006 

Hi,

         This pam_selinux that any user logging in has the proper
 security ID and the process created runs in the proper default
 security context.  Also the controlling tty will have it's security
 context modified to match the users. This makes sense only for humans
 logging in, so /etc/pam.d/{login,ssh} are the places where it is
 required.

        Daemons such as cron, proftpd, gdm etc already runs in the
 proper security context, for example, and should not be reset to the
 default security context of the user it is running as, so
 common-account, common-session, or common-password are not
 appropriate.

        For people interested in the gory details, on
 pam_open_session, pam_selinux sets the exec context for the process
 to the appropriate context for the user, so that any subsequently
 executed programs will transition into that context.  On
 pam_close_session, pam_selinux restores the exec context to its
 original value, so any subsequently executed programs will revert to
 the prior behavior.

        As an aside, the placement of the line does matter when you
 are running SELinux; the principal concern being the impact on helper
 programs executed by other pam session modules invoked after
 pam_selinux when opening a session, and the impact on helper programs
 executed by other pam session modules invoked before pam_selinux when
 closing a session, as any such helper programs will end up in the
 user's context.

        I usually append the line to the files in my machines (it is
 simpler to do so using a shell script and the indirection operator
 >>), so I know that works. (How many pam session modules use helper
 >>programs at closing, anyway? I don't seem to have noticed any AVC
 >>denials in my runs)

        Perhaps we could have the following appended to the end of the
 files /pam.d/{login,ssh}: 

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context.
# Uncomment the following line to enable SELinux
# session required pam_selinux.so multiple

        thanks

        manoj
-- 
"I believe I found the missing link between animal and civilized
man. It is us." -- Konrad Lorenz
Manoj Srivastava     <srivasta at acm.org>    <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the Pkg-shadow-devel mailing list