avc: smartcard token login
Dominick Grift
domg472 at gmail.com
Sun Dec 5 21:11:37 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/05/2010 10:06 PM, Mr Dash Four wrote:
>
>> Reference:
>> http://lists.fedoraproject.org/pipermail/selinux/2010-December/013294.html
>>
>>
>> This may be more appropriate if other login programs need this as well.
>>
>> Signed-off-by: Dominick Grift <domg472 at gmail.com>
>> ---
>> :100644 100644 6521109... ceadd00... M
>> policy/modules/system/authlogin.if
>> policy/modules/system/authlogin.if | 6 ++++++
>> 1 files changed, 6 insertions(+), 0 deletions(-)
>>
>> diff --git a/policy/modules/system/authlogin.if
>> b/policy/modules/system/authlogin.if
>> index 6521109..ceadd00 100644
>> --- a/policy/modules/system/authlogin.if
>> +++ b/policy/modules/system/authlogin.if
>> @@ -189,6 +189,12 @@ interface(`auth_login_pgm_domain',`
>> ')
>>
>> optional_policy(`
>> + openct_stream_connect($1)
>> + openct_signull($1)
>> + openct_read_pid_files($1)
>> + ')
>> +
>> + optional_policy(`
>> corecmd_exec_bin($1)
>> storage_getattr_fixed_disk_dev($1)
>> mount_domtrans($1)
>>
> Would that work? Would you not get out-of-scope error referencing a
> 'module' from a 'base' module?
> Bug submitted - https://bugzilla.redhat.com/show_bug.cgi?id=660147
In theory that would work since the policy is wrapped in a
optional_policy block.
To be honest these modules (authlogin and locallogin) should not be in
base in the first place.
I dont have them in base in my personal policy either:
[root at localhost Desktop]$ semodule -l | grep authlogin
authlogin 2.2.0
[root at localhost Desktop]$ semodule -l | grep locallogin
locallogin 1.10.0
Stuffing everything in base just to work around some issue that should
be handled more appropriately is a bad idea in my opinion.
If this patch does not work then not much else will work and policy is
fundamentally broken.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz8AAkACgkQMlxVo39jgT8gfgCeK8OKbM/TVcRGlgs3zABS80be
tUYAoK79EOffIsGDpYQgZWcqPblqXopo
=CWQK
-----END PGP SIGNATURE-----
More information about the selinux
mailing list