[PATCH 1/5] adding seadmin support
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 13 13:58:44 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/13/2013 06:04 AM, Dominick Grift wrote:
> On Tue, 2013-11-12 at 19:20 +0100, Dominick Grift wrote:
>
>> Also i cant get sepermit to work on Fedora 19 ( at least not with sshd
>> (thats all i tried)
>>
>> even if i add the debug option to sepermit.so it still does not log a
>> thing and my confined admin is able to login in permissive mode :(
>>
>
> I tried it again, and it just seems messy. In /etc/pam.d/gdm-password
> "pam_selinux-permit.so" i called, while everywhere else (including the man
> page) its "pam_sepermit.so"
>
> No matter what i try though, i cannot get it to work for sshd at least
>
> Not sure if related to sepermit, but i was able to login without a password
> in gdm when i had just the usename added to /etc/security/sepermit.conf (no
> ":exclusive" appended)
>
> So if it was sepermit allowing the user to login w/o a password then i
> think that is probably wrong becuase AFAIK you need :exclusive to allow
> password less logins.
>
> None the less, things do not work for sshd, no matter what i trie, and its
> not giving me any feedback even if i append debug.
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
pam_sepermit requires no processes of the same label to be running. IE If
there is a xguest_t process running pam_sepermit will require a password for
someone logging in as xguest_t.
We usually only allow console login with pam_sepermit, since it was designed
for the kiosk/xguest use case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKDhZQACgkQrlYvE4MpobOLawCfRk0b8u8jmf3SAi6oegF4AMs1
eXcAn3vDHll+eOPg+hDEk0x1DWJKzj2f
=AX2X
-----END PGP SIGNATURE-----
More information about the selinux
mailing list