search

SELinuxProject / refpolicy

SELinux Reference Policy v2
https://github.com/SELinuxProject/refpolicy/wiki
GNU General Public License v2.0
308 stars 138 forks source link

Support custom login programs #77

Closed DemiMarie closed 5 years ago

DemiMarie commented 5 years ago

Currently, there is no good way for third-party domains to log users in with pam_selinux.so.

ghost commented 5 years ago

On Wed, Aug 28, 2019 at 06:58:14AM -0700, Demi Marie Obenour wrote:

Currently, there is no good way for third-party domains to log users in with pam_selinux.so.

Can you explain what the pain points in your opinion are and maybe suggest possible solutions to address this?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/SELinuxProject/refpolicy/issues/77

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

DemiMarie commented 5 years ago

@doverride If I implement my own login program and give it its own type (say demi_login_t), pam_selinux does not assign the proper MCS contexts. I believe that the problem is the *_default_contexts files.

ghost commented 5 years ago

On Wed, Aug 28, 2019 at 07:30:27AM -0700, Demi Marie Obenour wrote:

@doverride If I implement my own login program and give it its own type (say demi_login_t), pam_selinux does not assign the proper MCS contexts. I believe that the problem is the *_default_contexts files.

Yes, I agree. I've been thinking about the drop-in directory model here where for example you have /etc/selinux/TYPE/contexts/users/user_u.d/override.conf (kind of similar to systemd overrides) That way you can just add overrides and append or replace existing context configurations. (this would have to be addressed in SELinux User space though)

The same would have to apply to default_context and default_type

That reminds me by the way that the whole default_type idea should probably be scrutinized and that pam_selinux uses it in some places where i suspect it shouldnt.

Regardless though, this is something that would have to be addressed in SELinux user space. Probably best to start a discussion on the selinux maillist.

But i do agree, this is an area that could probably be improved in my view.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/SELinuxProject/refpolicy/issues/77#issuecomment-525772106

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

pebenito commented 5 years ago

You would need to add lines to the default_contexts or *_default_contexts files that start with system_r:demi_login_t and add the relevant partial contexts that are acceptable for login.

If you would like to change how the default_context files are processed, or add new processing for login, then the SELinux userspace project is where that should be discussed. The selinux mail list would be better for that discussion. Then refpolicy would adapt to the new methods as necessary.