Stephen Smalley (sds(a)tycho.nsa.gov) said:
On Wed, 2005-09-21 at 16:13 -0400, Bill Nottingham wrote:
> There's an open bug for changing sulogin to handle multiple
> accounts with uid 0. Wouldn't it also be useful to change
> it to check roles as well (for strict policy)?
Can you elaborate a little, or point to the bugzilla entry?
135154/168982. Basically, it currently only authenticates
as 'root', while the suggestion was to allow it to authenticate
as any user who has uid 0, even if that's not 'root'.
It presently just uses the default context for "root" from
sulogin's
domain, where the default can be altered via the default_contexts
configuration. Were you thinking of having it allow the user to select
a context if multiple contexts are returned like pam_selinux does?
That's one option. What I initially thought was that, if you
have multiple users who are sysadm_r (or whatever), that it would
allow you to authenticate as any of them.
Bill