On 06/05/2009 05:14 PM, Vadym Chepkov wrote:
I started to work on a test case for selinux/winbind and found another unrelated issue
with pam_mkhomedir. SELinux doesn't allow winbind user to create a home for himself
and copy files from /etc/skel, I had to add the following rules into the local policy:
allow sshd_t user_home_dir_t:file { write create setattr };
unprivuser_home_filetrans_home_dir(sshd_t)
unprivuser_create_home_dir(sshd_t)
I searched bugzilla and it seems a related case was already filed (Bug 447096) against
Fedora 9. I don't see an option to modify the bug and make it Fedora 10, which means
after Fedora 11 is released it will be automatically closed without resolution like it has
happened so many times in the past. Is the a way to keep a bug alive until it is actually
resolved? Thanks.
Sincerely yours,
Vadym Chepkov
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list We would prefer you to
use pam_oddjob_mkhomedir.
The problem with pam_mkhomedir is that it requires us to give privs to
all login programs to write all over the users homedir. I do not want
to give login programs this priv, because I want to prevent them from
even being able to read the homedir. Imagine a remove exploit of sshd
that allows me to pull data off the HOMEDIR without even logging in.
Imagine being able to walk up to a gdm session and being able to trick
it to read the homedir without logging in.
I do not think there is a way to get the bugzilla to move forward,
without manual intervention.