On Tue, 2005-01-11 at 08:59 -0500, Stephen Smalley wrote:
On Fri, 2005-01-07 at 14:09, DeadManMoving wrote:
i've recently find a bug in the implementation of SELinux in gentoo
Still willing to fix that, i've given the red hat passwd suite a try on
my gentoo installation and yes! it works quite well!
IIRC, the Fedora passwd program obtains the caller's security context,
extracts the user identity from it, and checks a SELinux permission if
attempting to change the passwd information for a user other than the
caller. Note that the user identity in the security context can only
be set by processes allowed to do so by SELinux policy and is not
necessarily the same as the Linux uid, so a rogue uid 0 process cannot
arbitrarily assume the SELinux user identity of "root".
I was writing up a patch for shadow's version of passwd, chfn, and chsh,
when I noticed that chage doesn't have a check. Is chage not included
in Fedora, or was it determined that it didn't need a check?