rpms/pam_ssh/F-8 pam_ssh.te,NONE,1.1 pam_ssh.spec,1.13,1.14
Martin Ebourne
lists at ebourne.me.uk
Tue Nov 27 21:27:25 UTC 2007
On Mon, 26 Nov 2007 10:27:30 -0500, Jeremy Katz wrote:
> On Mon, 2007-11-26 at 16:54 +0300, Dmitry Butskoy wrote:
>> But if the user will decide to use SELinux (install all needed
>> packages) later? Then it should re-install pam_ssh to activate its
>> policies...
>
> This is one of the (many) reasons why it's currently better to get
> policy into the main selinux-policy package rather than trying to do
> hacks to carry policy in the package.
This is bad. It's clearly not workable to have all policy in the one
centrally maintained cathedral-like package. It's important to be allow
packages to have their own specific policy and we should be trying to fix
anything that prevents this.
In this case for instance it is necessary to grant pam extra permissions
which are not needed except for pam_ssh. Of course, good security policy
is always to give least permissions and that is being violated here for
everyone who doesn't use pam_ssh.
In the absence of an ability for selinux to know if pam_ssh is configured
then at least having the policy in the module would only activate it if
pam_ssh was installed.
Cheers,
Martin.
More information about the fedora-devel-list
mailing list