avc: smartcard token login

Dominick Grift domg472 at gmail.com
Sun Dec 5 21:11:37 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2010 10:06 PM, Mr Dash Four wrote:
> 
>> Reference:
>> http://lists.fedoraproject.org/pipermail/selinux/2010-December/013294.html
>>
>>
>> This may be more appropriate if other login programs need this as well.
>>
>> Signed-off-by: Dominick Grift <domg472 at gmail.com>
>> ---
>> :100644 100644 6521109... ceadd00... M   
>> policy/modules/system/authlogin.if
>>  policy/modules/system/authlogin.if |    6 ++++++
>>  1 files changed, 6 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/system/authlogin.if
>> b/policy/modules/system/authlogin.if
>> index 6521109..ceadd00 100644
>> --- a/policy/modules/system/authlogin.if
>> +++ b/policy/modules/system/authlogin.if
>> @@ -189,6 +189,12 @@ interface(`auth_login_pgm_domain',`
>>      ')
>>  
>>      optional_policy(`
>> +        openct_stream_connect($1)
>> +        openct_signull($1)
>> +        openct_read_pid_files($1)
>> +    ')
>> +
>> +    optional_policy(`
>>          corecmd_exec_bin($1)
>>          storage_getattr_fixed_disk_dev($1)
>>          mount_domtrans($1)
>>   
> Would that work? Would you not get out-of-scope error referencing a
> 'module' from a 'base' module?
> Bug submitted - https://bugzilla.redhat.com/show_bug.cgi?id=660147

In theory that would work since the policy is wrapped in a
optional_policy block.

To be honest these modules (authlogin and locallogin) should not be in
base in the first place.

I dont have them in base in my personal policy either:

[root at localhost Desktop]$ semodule -l | grep authlogin
authlogin	2.2.0	
[root at localhost Desktop]$ semodule -l | grep locallogin
locallogin	1.10.0	

Stuffing everything in base just to work around some issue that should
be handled more appropriately is a bad idea in my opinion.

If this patch does not work then not much else will work and policy is
fundamentally broken.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz8AAkACgkQMlxVo39jgT8gfgCeK8OKbM/TVcRGlgs3zABS80be
tUYAoK79EOffIsGDpYQgZWcqPblqXopo
=CWQK
-----END PGP SIGNATURE-----

More information about the selinux mailing list