Dne čtvrtek 26 července 2012 17:05:32, Jakub Hrozek napsal(a):
On Thu, Jul 26, 2012 at 11:18:22AM +0200, Jan Zelený wrote:
> Dne středa 25 července 2012 10:19:04, Simo Sorce napsal(a):
> > On Wed, 2012-07-25 at 08:54 +0200, Jan Zelený wrote:
> > > #161 - Rename session provider to selinux provider
> > > #162 - Move SELinux provider processing right after PAM_ACCT_MGMT
> > >
> > > These patches are a proof of concept solving following ticket:
> > >
> > >
https://fedorahosted.org/sssd/ticket/1439
> > >
> > > I realize that there might be some rough edges to sand off but right
> > > now
> > > the important thing for me is to know whether the approach implemented
> > > in
> > > patch #162 and described in the comment #1 in the ticket is valid.
> >
> > NACK, we discussed a better approach on IRC.
> >
> > Simo.
>
> Here it is. I re-numbered the patch set because there is a new patch #163
> bringing a simple fix that should be applied before patch #165.
>
> I also extended the commit message. Now it explains the entire idea behind
> the patch.
>
> Thanks
> Jan
I was able to successfuly test the basic SELinux features with this
patch on a fresh ipa-client install with unmodified PAM stack -- great!
Code-wise, I'm just not a big fan of "phase" in the generic be_req
structure, but that could be fixed post-beta.
Yeah, I'm not exactly a big fan either but it's still better than new PAM
command. Alternative solution would be to copy-paste the callback (without the
access-vs-selinux decision code) and assign the new callback to the second
request. If you would prefer that approach, I'll be more than happy to
implement the change.
Ack from me, I'd like to have Simo take a second look, because he
has
architected the approach.
Thanks
Jan