Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664

Luke Kenneth Casson Leighton lkcl at lkcl.net
Sun May 30 23:00:07 EST 2004


On Sun, May 30, 2004 at 09:48:31PM +1000, Damien Miller wrote:
> Luke Kenneth Casson Leighton wrote:
> > On Sun, May 30, 2004 at 07:43:52PM +1000, Damien Miller wrote:
> >>but it doesn't seem to do much at all - the only code change is the
> >>marking of a ssh-agent fd to be close-on-exec.
> >  
> >  that, and the inclusion of  pam_selinux.so as a required session
> >  plugin, and the setting of a security context on the DSA and
> >  RSA keys in sshd initialisation (a redhat rpm thing?)
> 
> I think we should leave these changes for the vendors of SELinux
> enabled distributions. We want the current files to work for everyone.
 
 hang about....

 let me think: pam_selinux.so is patched into pam, now, and so
 would be there by default.

 i _believe_ that when SE/Linux is not enabled, then pam_selinux.so
 should have no effect.

 in fact, i have a system now where SE/Linux is not enabled, yet
 a patched pam that has pam_selinux has been installed, and i
 can log in fine.

 looking at the code, yes: is_selinux_enabled() indicating that
 selinux is not enabled, returns PAM_SUCCESS.

 so, basically, what that boils down to is that if you _do_
 add the line session required pam_selinux.so, then on a 
 non-SELinux system (which _will_ have a pam_selinux.so), nothing
 will break: everything will work unaffected and as expected.

 of course, this requires that the upstream pam maintainers 
 incorporate pam_selinux.so.

 l.




More information about the openssh-unix-dev mailing list