avc: smartcard token login
Mr Dash Four
mr.dash.four at googlemail.com
Tue Dec 7 14:19:03 UTC 2010
> Reference:
> http://lists.fedoraproject.org/pipermail/selinux/2010-December/013294.html
>
> This may be more appropriate if other login programs need this as well.
>
> Signed-off-by: Dominick Grift <domg472 at gmail.com>
> ---
> :100644 100644 6521109... ceadd00... M policy/modules/system/authlogin.if
> policy/modules/system/authlogin.if | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 6521109..ceadd00 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -189,6 +189,12 @@ interface(`auth_login_pgm_domain',`
> ')
>
> optional_policy(`
> + openct_stream_connect($1)
> + openct_signull($1)
> + openct_read_pid_files($1)
> + ')
> +
> + optional_policy(`
> corecmd_exec_bin($1)
> storage_getattr_fixed_disk_dev($1)
> mount_domtrans($1)
>
Tested this as a patch to my current -73 policy with the modifications
suggested by Miroslav Grepl and it works a treat! No problems at all and
I can now login via the terminal with my smartcard and disable the
password login.
Over the weekend will try to see if I can get rid of the pcsc
dependencies as well and use OpenCT only for gdm login on my other machines.
More information about the selinux
mailing list