Without this change, a process linking our PAM module would do the writing.
That could be potentially problematic because everych such process will
probably have its own selinux context. That would need rule in the policy for
every process that is linked with PAM modules.
With this change, the context of process writing to the config file will be
sssd_t, which makes life easier for SELinux policy maintainers.
Thanks
Jan
Show replies by date