* question about pam_selinux multiple option
@ 2003-10-25 4:44 Yuichi Nakamura
2003-10-27 15:04 ` Daniel J Walsh
2003-10-27 15:24 ` Stephen Smalley
0 siblings, 2 replies; 6+ messages in thread
From: Yuichi Nakamura @ 2003-10-25 4:44 UTC (permalink / raw)
To: dwalsh, selinux; +Cc: ynakam
When I saw the man page of pam_selinux,
there is a option "multiple". I think it is convenient.
However, in pam-selinux.patch, the code about "multiple" is commented out,like this.
+ /* if (strcmp(argv[i], "multiple") == 0) {
+ multiple = 1;
+ }*/
When I enabled it, the "multiple" option seemed to work.
Why is it commented out ?
Will "multiple" option be enabled in the future?
Thank you.
---------
Yuichi Nakamura
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: question about pam_selinux multiple option
2003-10-25 4:44 question about pam_selinux multiple option Yuichi Nakamura
@ 2003-10-27 15:04 ` Daniel J Walsh
2003-10-27 19:23 ` Chris PeBenito
2003-10-27 22:38 ` Russell Coker
2003-10-27 15:24 ` Stephen Smalley
1 sibling, 2 replies; 6+ messages in thread
From: Daniel J Walsh @ 2003-10-27 15:04 UTC (permalink / raw)
To: Yuichi Nakamura; +Cc: selinux
Yuichi Nakamura wrote:
>When I saw the man page of pam_selinux,
>there is a option "multiple". I think it is convenient.
>However, in pam-selinux.patch, the code about "multiple" is commented out,like this.
>+ /* if (strcmp(argv[i], "multiple") == 0) {
>+ multiple = 1;
>+ }*/
>When I enabled it, the "multiple" option seemed to work.
>Why is it commented out ?
>Will "multiple" option be enabled in the future?
>
>Thank you.
>
>---------
>Yuichi Nakamura
>
>
The multiple option was added to allow the user to select the security
context they would be allowed to login in as. We have decided to pull
this functionality from login programs and only allow the user to login
with the default context. Afterwards they can change their context
using newrole. I will fix the man page.
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: question about pam_selinux multiple option
2003-10-25 4:44 question about pam_selinux multiple option Yuichi Nakamura
2003-10-27 15:04 ` Daniel J Walsh
@ 2003-10-27 15:24 ` Stephen Smalley
1 sibling, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2003-10-27 15:24 UTC (permalink / raw)
To: Yuichi Nakamura; +Cc: Daniel J Walsh, selinux
On Sat, 2003-10-25 at 00:44, Yuichi Nakamura wrote:
> When I saw the man page of pam_selinux,
> there is a option "multiple". I think it is convenient.
> However, in pam-selinux.patch, the code about "multiple" is commented out,like this.
> + /* if (strcmp(argv[i], "multiple") == 0) {
> + multiple = 1;
> + }*/
> When I enabled it, the "multiple" option seemed to work.
> Why is it commented out ?
> Will "multiple" option be enabled in the future?
I don't see any reason to omit the code either, as you can always just
omit the option in your PAM configuration if you don't want that
functionality.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: question about pam_selinux multiple option
2003-10-27 15:04 ` Daniel J Walsh
@ 2003-10-27 19:23 ` Chris PeBenito
2003-10-27 19:52 ` Daniel J Walsh
2003-10-27 22:38 ` Russell Coker
1 sibling, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2003-10-27 19:23 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux Mail List
On Mon, 2003-10-27 at 09:04, Daniel J Walsh wrote:
> The multiple option was added to allow the user to select the security
> context they would be allowed to login in as. We have decided to pull
> this functionality from login programs and only allow the user to login
> with the default context.
I'm curious what prompted this change? Prompting the user for the
context they want to login with, for local logins, has been there for as
long as I've used SELinux (though thats only since March). That is, in
the older /bin/login patches.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: question about pam_selinux multiple option
2003-10-27 19:23 ` Chris PeBenito
@ 2003-10-27 19:52 ` Daniel J Walsh
0 siblings, 0 replies; 6+ messages in thread
From: Daniel J Walsh @ 2003-10-27 19:52 UTC (permalink / raw)
To: Chris PeBenito; +Cc: SELinux Mail List
[-- Attachment #1: Type: text/plain, Size: 889 bytes --]
Chris PeBenito wrote:
>On Mon, 2003-10-27 at 09:04, Daniel J Walsh wrote:
>
>
>>The multiple option was added to allow the user to select the security
>>context they would be allowed to login in as. We have decided to pull
>>this functionality from login programs and only allow the user to login
>>with the default context.
>>
>>
>
>I'm curious what prompted this change? Prompting the user for the
>context they want to login with, for local logins, has been there for as
>long as I've used SELinux (though thats only since March). That is, in
>the older /bin/login patches.
>
>
The problem was that different login programs worked differently. Login
had this ability, sshd did not. Some versions of [xg]dm had it but
others didn't and it was very complicated code withing these login
programs. We just decided to simplify it and not expose this to the Users.
Dan
[-- Attachment #2: Type: text/html, Size: 1338 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: question about pam_selinux multiple option
2003-10-27 15:04 ` Daniel J Walsh
2003-10-27 19:23 ` Chris PeBenito
@ 2003-10-27 22:38 ` Russell Coker
1 sibling, 0 replies; 6+ messages in thread
From: Russell Coker @ 2003-10-27 22:38 UTC (permalink / raw)
To: Daniel J Walsh, Yuichi Nakamura; +Cc: selinux
On Tue, 28 Oct 2003 02:04, Daniel J Walsh wrote:
> The multiple option was added to allow the user to select the security
> context they would be allowed to login in as. We have decided to pull
> this functionality from login programs and only allow the user to login
> with the default context. Afterwards they can change their context
> using newrole. I will fix the man page.
Dan, I agree that the multiple option is not something we want globally
enabled, and it may not be desirable to have it enabled in a default
configuration. But I think that we should still have the feature available
in a default build of the module so that anyone who desires it and is using a
login program that will support it can do so.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-10-30 0:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-25 4:44 question about pam_selinux multiple option Yuichi Nakamura
2003-10-27 15:04 ` Daniel J Walsh
2003-10-27 19:23 ` Chris PeBenito
2003-10-27 19:52 ` Daniel J Walsh
2003-10-27 22:38 ` Russell Coker
2003-10-27 15:24 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.