Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Sun May 30 23:00:07 EST 2004
On Sun, May 30, 2004 at 09:48:31PM +1000, Damien Miller wrote:
> Luke Kenneth Casson Leighton wrote:
> > On Sun, May 30, 2004 at 07:43:52PM +1000, Damien Miller wrote:
> >>but it doesn't seem to do much at all - the only code change is the
> >>marking of a ssh-agent fd to be close-on-exec.
> >
> > that, and the inclusion of pam_selinux.so as a required session
> > plugin, and the setting of a security context on the DSA and
> > RSA keys in sshd initialisation (a redhat rpm thing?)
>
> I think we should leave these changes for the vendors of SELinux
> enabled distributions. We want the current files to work for everyone.
hang about....
let me think: pam_selinux.so is patched into pam, now, and so
would be there by default.
i _believe_ that when SE/Linux is not enabled, then pam_selinux.so
should have no effect.
in fact, i have a system now where SE/Linux is not enabled, yet
a patched pam that has pam_selinux has been installed, and i
can log in fine.
looking at the code, yes: is_selinux_enabled() indicating that
selinux is not enabled, returns PAM_SUCCESS.
so, basically, what that boils down to is that if you _do_
add the line session required pam_selinux.so, then on a
non-SELinux system (which _will_ have a pam_selinux.so), nothing
will break: everything will work unaffected and as expected.
of course, this requires that the upstream pam maintainers
incorporate pam_selinux.so.
l.
More information about the openssh-unix-dev
mailing list