[PATCH 1/5] adding seadmin support
Leonidas Da Silva Barbosa
leosilva at linux.vnet.ibm.com
Wed Nov 13 13:18:09 UTC 2013
On Wed, Nov 13, 2013 at 12:04:30PM +0100, Dominick Grift wrote:
> On Tue, 2013-11-12 at 19:20 +0100, Dominick Grift wrote:
>
> > Also i cant get sepermit to work on Fedora 19 ( at least not with sshd
> > (thats all i tried)
> >
> > even if i add the debug option to sepermit.so it still does not log a
> > thing and my confined admin is able to login in permissive mode :(
> >
>
> I tried it again, and it just seems messy. In /etc/pam.d/gdm-password
> "pam_selinux-permit.so" i called, while everywhere else (including the
> man page) its "pam_sepermit.so"
>
> No matter what i try though, i cannot get it to work for sshd at least
>
> Not sure if related to sepermit, but i was able to login without a
> password in gdm when i had just the usename added
> to /etc/security/sepermit.conf (no ":exclusive" appended)
>
> So if it was sepermit allowing the user to login w/o a password then i
> think that is probably wrong becuase AFAIK you need :exclusive to allow
> password less logins.
>
> None the less, things do not work for sshd, no matter what i trie, and
> its not giving me any feedback even if i append debug.
>
>
Sorry, I did know sepermit yet, if I got the idea, it allows some SELinux
user to login without password (:exclusive), and (:ignore) to avoid that
seadmin users can login if system is in permissive mode, also allowing
just one session by users, right?
For sure it is a good one approach, becoming the environment more isolated
and confined.
These problems you found trying use sepermit in F19 also appears in new
F20? Or , maybe is it a bug? I'll test it in F20.
More information about the selinux
mailing list