[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Setting loginuid

To: Steve G <linux_4ever@xxxxxxxxx>
Subject: Re: Setting loginuid
From: Stephen Smalley <sds@xxxxxxxxxxxxxx>
Date: Tue, 15 Feb 2005 11:39:17 -0500
Cc: selinux@xxxxxxxxxxxxx
In-reply-to: <20050215155312.45937.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
Organization: National Security Agency
References: <20050215155312.45937.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Tue, 2005-02-15 at 10:53, Steve G wrote:
> 1) Use pam to set the information "pre-fork" and let the child inherit the
> loginuid from the parent process. This muddies up the entry point program's
> information, but is easier to do.

One caveat with this approach: any pam modules run (and any helpers that
they run) after the pam_audit module will then execute with this
loginuid.  We had an issue in this regard for pam_selinux that was
resolved by bracketing the module stack with two instances of
pam_selinux with separate open/close arguments to indicate whether each
instance should perform its processing upon session open or close.  This
then ensured that the exec security context wasn't set until after all
other pam modules (and their helpers) had run upon session open, and
that it was cleared before any other pam modules upon session close.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

References:
- Setting loginuid
  - From: Steve G

Prev by Date: Re: Determining if SELinux is installed
Next by Date: Re: Adding libseuser functionality to libselinux?
Previous by thread: Re: Setting loginuid
Next by thread: Determining if SELinux is installed
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.