[Pkg-shadow-devel] Bug#472575: Bug#472575: Bug#472575: Bug#472575: /usr/bin/passwd needs patch for better SE Linux support

[Russell Coker]

On Wednesday 26 March 2008 09:49, Nicolas François 
<nicolas.francois at centraliens.net> wrote:
> You also mentioned a dependency on the kernel, is there a need for
> a versioned dependency on libselinux1-dev with your patch?

The dependency on the kernel is for getting SE Linux working in Unstable and 
therefore being able to properly test the code.

There is no dependency on libselinux1-dev AFAIK, or at least nothing newer 
than Etch.

> From my understanding, shadow-4.1.0-selinux.patch permits to define the
> SE Linux user used to create, move, delete files in useradd, usermod,
> userdel (file context?). It uses semanage, genhomedircon, restorecon.
>
> Maybe this is not useful in Debian because useradd, usermod, and userdel
> are compiled with PAM support and pam_selinux may provide the same
> support.

Support in useradd and usermod is required to correctly label or relabel the 
contents of the user home directory.

userdel should not need SE Linux support, and according to a brief scan of the 
Fedora man page it appears not to have it.

> I would like to review the WITH_SELINUX parts of shadow for a latter
> release, because I fear it is not really consistent from one tool to
> another.

The overall design of shadow is lacking in this regard.  Working with design 
mistakes from decades ago limits us.

> Russel, if you think I should also apply shadow-4.1.0-selinux.patch
> upstream, I will apply it blindly.

I have not reviewed it.  Having more code from the Red Hat branch would be a 
good thing, Dan can probably give some advice.

I will eventually review more of that code and submit patches as appropriate.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development