question about pam_selinux multiple option

question about pam_selinux multiple option

[Yuichi Nakamura]

When I saw the man page of pam_selinux, 
there is a option "multiple". I think it is convenient.
However, in pam-selinux.patch, the code about "multiple" is commented out,like this.
+    /*    if (strcmp(argv[i], "multiple") == 0) {
+      multiple = 1;
+      }*/
When I enabled it, the "multiple" option seemed to work.
Why is it commented out ? 
Will "multiple" option be enabled in the future?

Thank you.

---------
Yuichi Nakamura

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about pam_selinux multiple option

[Daniel J Walsh]

Yuichi Nakamura wrote:

>When I saw the man page of pam_selinux, 
>there is a option "multiple". I think it is convenient.
>However, in pam-selinux.patch, the code about "multiple" is commented out,like this.
>+    /*    if (strcmp(argv[i], "multiple") == 0) {
>+      multiple = 1;
>+      }*/
>When I enabled it, the "multiple" option seemed to work.
>Why is it commented out ? 
>Will "multiple" option be enabled in the future?
>
>Thank you.
>
>---------
>Yuichi Nakamura
>  
>

The multiple option was added to allow the user to select the security 
context they would be allowed to login in as.  We have decided to pull 
this functionality from login programs and only allow the user to login 
with the default context.  Afterwards they can change their context 
using newrole.  I will fix the man page.

Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about pam_selinux multiple option

[Stephen Smalley]

On Sat, 2003-10-25 at 00:44, Yuichi Nakamura wrote:
> When I saw the man page of pam_selinux, 
> there is a option "multiple". I think it is convenient.
> However, in pam-selinux.patch, the code about "multiple" is commented out,like this.
> +    /*    if (strcmp(argv[i], "multiple") == 0) {
> +      multiple = 1;
> +      }*/
> When I enabled it, the "multiple" option seemed to work.
> Why is it commented out ? 
> Will "multiple" option be enabled in the future?

I don't see any reason to omit the code either, as you can always just
omit the option in your PAM configuration if you don't want that
functionality.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about pam_selinux multiple option

[Chris PeBenito]

On Mon, 2003-10-27 at 09:04, Daniel J Walsh wrote:
> The multiple option was added to allow the user to select the security 
> context they would be allowed to login in as.  We have decided to pull 
> this functionality from login programs and only allow the user to login 
> with the default context.

I'm curious what prompted this change?  Prompting the user for the
context they want to login with, for local logins, has been there for as
long as I've used SELinux (though thats only since March).  That is, in
the older /bin/login patches.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: question about pam_selinux multiple option

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

Chris PeBenito wrote:

>On Mon, 2003-10-27 at 09:04, Daniel J Walsh wrote:
>  
>
>>The multiple option was added to allow the user to select the security 
>>context they would be allowed to login in as.  We have decided to pull 
>>this functionality from login programs and only allow the user to login 
>>with the default context.
>>    
>>
>
>I'm curious what prompted this change?  Prompting the user for the
>context they want to login with, for local logins, has been there for as
>long as I've used SELinux (though thats only since March).  That is, in
>the older /bin/login patches.
>  
>

The problem was that different login programs worked differently.  Login 
had this ability, sshd did not.  Some versions of [xg]dm had it but 
others didn't and it was very complicated code withing these login 
programs.  We just decided to simplify it and not expose this to the Users.

Dan

[-- Attachment #2: Type: text/html, Size: 1338 bytes --]

Re: question about pam_selinux multiple option

[Russell Coker]

On Tue, 28 Oct 2003 02:04, Daniel J Walsh wrote:
> The multiple option was added to allow the user to select the security
> context they would be allowed to login in as.  We have decided to pull
> this functionality from login programs and only allow the user to login
> with the default context.  Afterwards they can change their context
> using newrole.  I will fix the man page.

Dan, I agree that the multiple option is not something we want globally 
enabled, and it may not be desirable to have it enabled in a default 
configuration.  But I think that we should still have the feature available 
in a default build of the module so that anyone who desires it and is using a 
login program that will support it can do so.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.