Hello,

You also mentioned a dependency on the kernel, is there a need for
a versioned dependency on libselinux1-dev with your patch?


The remaining of the mail is not directly related to your patch, but is
still related to SE Linux support in shadow.

On Wed, Mar 26, 2008 at 08:09:41AM +1100, [EMAIL PROTECTED] wrote:
> On Wednesday 26 March 2008 04:08, Christian Perrier <[EMAIL PROTECTED]> 
> wrote:
> > Quoting Nicolas François ([EMAIL PROTECTED]):
> > > > password.  With SE Linux Strict policy a user who has UID==0 and the
> > > > role user_r can do little damage to the system.
> > >
> > > Thanks for the patch. I will commit it for 4.1.1.
> >
> > Is there any need to discuss this with other distros?
> 
> Which other distros are you referring to?  Red Hat appears to use a different 
> source base for passwd (and in any case a large part of my patch was copied 
> from their code).  Who else has SE Linux support?

I merged a lot of patches from Fedora to upstream. Some patches remain,
like shadow-4.1.0-selinux.patch. But Fedora should basically use the same
source for shadow. However, Fedora does not install passwd from the
shadow sources but from another source package.

>From my understanding, shadow-4.1.0-selinux.patch permits to define the
SE Linux user used to create, move, delete files in useradd, usermod,
userdel (file context?). It uses semanage, genhomedircon, restorecon.

Maybe this is not useful in Debian because useradd, usermod, and userdel
are compiled with PAM support and pam_selinux may provide the same
support.

>From the above, it may be obvious (or not, eh, I don't even know!) that I
don't really understand SE Linux and even less the tools and APIs used for
SE Linux.

I would like to review the WITH_SELINUX parts of shadow for a latter
release, because I fear it is not really consistent from one tool to
another.

Russel, if you think I should also apply shadow-4.1.0-selinux.patch
upstream, I will apply it blindly.

Best Regards,
-- 
Nekral


Reply via email to