[Dev] pam module for Smack

José Bollo jose.bollo at open.eurogiciel.org
Thu Feb 6 15:13:02 GMT 2014


On mer, 2014-01-29 at 09:41 -0800, Leibowitz, Michael wrote:
> On Fri, Jan 24, 2014 at 9:26 AM, Schaufler, Casey
> <casey.schaufler at intel.com> wrote:
> > Let me go just a tiny bit further. For "regular" logins (not root) the home directory should always be User. At least until Multi-user is sufficiently solid that we start thinking about giving each user their own Smack domain. I don't expect that to happen soon. The only exception will be root logins. When you log in as root you are expected to know what you're doing. Further, whatever Smack label you get (floor, System or User) is not going to be right for what you want to do about 2/3 of the time.
> >
> > So why not set the Smack label for ssh sessions to be User in all cases? That will be right for all non-root logins and for 1/3 of root logins. The root logins will be wrong 2/3 of the time regardless.
> 
> I replaced most of my code with:
>   if (smack_enabled)
>      set_label("User")
> 
> It appears to work and is a substantial reduction in code.

I believe you!)

>   While I
> think this might not be perfect for the future, it does appear to work
> now and is simple.  Let's ship it that way for now and then when life
> becomes more complicated, settle on the homedir xattr vs explicit
> configuration and user creation<->label mapping.

That is a pleasing roadmap.

> Agreed?

yes but someone else has to approve

Best regards
José
> 
> Cheers
> 




More information about the Dev mailing list