Debian / SE/Linux

Sun May 30 17:33:30 UTC 2004

dear pam developers,

long time no post: last time i was on this list it was about
pam_ntdom and pam_smb, like 5 years ago, almost.

anyway, i'm back, and this time it's about SE/Linux.

	http://www.nsa.gov/selinux

no doubt you are aware of SE/Linux, devised by the NSA
to alleviate some concerns about GNU/Linux being used
unmodified and therefore in their mind insecure in various
US government departments and services (the public ones
not the scary ones).

the NSA has created a number of patches to various user-space
programs - pam is one of them.

a number of distros are beginning to pick these up: Redhat's
Fedora Core 2 is now distributed with SE/Linux *enabled* by
default.

Russell Coker is now maintaining some separate patches to
PAM for Debian - separate from the debian mainstream distribution.

... it's not by choice, but by necessity!

basically, what i would ask you to consider, is to evaluate
the patches to PAM, because there are several packages,
such as login, openssh etc. which depend critically for
successful operation on the SELinux PAM functionality.

and without that functionality being in place upstream,
some of the other package maintainers are not accepting
the SELinux patches because if they do, things will break.

so, although you're not _quite_ at the bottom of the dependency
tree, it's pretty darn close :) :)

one of the most common concerns about the acceptance of the
SELinux package patches is "will it break things for non-selinux
systems?"

the answer to that one is a most definite "no, it will NOT
break anything".

the reason is because, as you can see from the patches
(available from several sources but probably the most
 convenient place to obtain the is via:
 http://www.nsa.gov/selinux/code/download5.cfm)

of the use of "is_selinux_enabled()" and if this indicates
that selinux is not enabled, then things like PAM_SUCCESS
get returned, etc.

also for your convenience here is one of the debian bugs
that references the pam_unix patch, i can't find one for
the pam_selinux patch unless i missed it.

	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=249499

thank you,

l.

-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl at lkcl.net"> lkcl at lkcl.net </a> <br />