From: Dominick Grift <dac.override@gmail.com>
To: "Sugar, David" <dsugar@tresys.com>,
"selinux-refpolicy@vger.kernel.org"
<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 2/2] pam_faillock creates files in /run/faillock
Date: Sun, 23 Dec 2018 11:46:48 +0100 [thread overview]
Message-ID: <20181223104648.GB20992@brutus.lan> (raw)
In-Reply-To: <20181223102000.GA20992@brutus.lan>
[-- Attachment #1: Type: text/plain, Size: 2662 bytes --]
On Sun, Dec 23, 2018 at 11:20:00AM +0100, Dominick Grift wrote:
> On Sat, Dec 22, 2018 at 02:58:41AM +0000, Sugar, David wrote:
> >
> > On 12/21/18 5:34 AM, Dominick Grift wrote:
> > > On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote:
> > >> These are changes needed when pam_fallock created files in /run/faillock
> > >> (which is labeled faillog_t). sudo and xdm (and probably other domains)
> > >> will create files in this directory for successful and failed logins
> > >> attempts.
> > > The pam stuff has become a bit broken in my view.
> > >
> > > We use to use auth_use_pam() for these kinds of things but the interface was forgotten and not updated properly.
> > >
> > > So for example sudo does not even call auth_use_pam() and a lot of stuff was added directly to the login_pgm domain that should have been added to auth_use_pam() instead.
> > >
> > > My opinion is that this belongs in auth_use_pam()
> >
> > Dominick,
> >
> > I see those interfaces. It looks like xdm_t already uses
> > auth_login_pgm_domain(xdm_t). It also isn't really clear to me what the
> > difference is between auth_login_pgm_domain() and auth_use_pam(). I
> > will make updates moving my change into auth_use_pam() and also update
> > sudo_role_template() to use (I think) auth_login_pgm_domain ().
>
> sudo is not an auth_login_pgm_domain() i believe
>
> the auth_use_pam() is a subset of auth_login_pgm_domain()
>
> so login_pgm domains are pam clients plus extras needed to log in users
>
> a auth_use_pam() (pam client) has a pam stack but it might not actually do logins
>
> sudo uses pam but its not a real login program, so afaik sudo should call auth_use_pam()
> xdm is a login_pgm, so is sshd etc
>
> systemd is also a pam client, but not a login program
And yes systemd needs to be able to create these /run/faillock/USER files as well, but if you test this on RHEL then you wont see it because
RHEL doesnt use /etc/pam.d/systemd-user (i suppose)
so:
1. auth_use_pam() == "pam clients" (programs that have a file in /etc/pam.d), they use pam for authentication of some sort
2, auth_login_pgm_domain() == superset (special pam clients that need permissions to do actual logins)
>
> >
> > I will resubmit this patch,
> >
> > --- snip ---
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2018-12-23 10:53 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-21 1:41 [PATCH 1/2] Allow greeter to start dbus and transition David Sugar
2018-12-21 1:41 ` [PATCH 2/2] pam_faillock creates files in /run/faillock David Sugar
2018-12-21 10:34 ` Dominick Grift
2018-12-22 2:58 ` Sugar, David
2018-12-22 19:20 ` Chris PeBenito
2018-12-23 10:20 ` Dominick Grift
2018-12-23 10:46 ` Dominick Grift [this message]
2018-12-23 16:09 ` Dominick Grift
2018-12-23 16:16 ` Dominick Grift
2018-12-22 19:28 ` [PATCH 1/2] Allow greeter to start dbus and transition Chris PeBenito
2018-12-23 16:33 ` Dominick Grift
2018-12-23 16:45 ` Dominick Grift
2018-12-23 16:52 ` Dominick Grift
2018-12-23 16:55 ` Dominick Grift
2018-12-23 17:02 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181223104648.GB20992@brutus.lan \
--to=dac.override@gmail.com \
--cc=dsugar@tresys.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).