On Wed, Sep 28, 2005 at 05:14:31PM -0700, James Blanford wrote: > Package: libpam-modules > Version: 0.79-1
> I used to be able to su from root to any other account without entering > a password. Now a password is requested. This breaks at least the > updatedb script. Please revert the SELinux passwd class permissions > check. Please explain why the SELinux patch is to blame. The SELinux changes should have zero impact unless you have an SELinux-enabled kernel, *and* you have SELinux turned on at boot time. This patch is in use in Fedora and the latest upstream version of Linux-PAM, and is the one given to me by the folks working on SELinux in Debian. I can't say that I actually understand *why* pam_rootok should be making this library call (which, from an SELinux standpoint, must be advisory in nature), but I'm not willing to remove it outright without being presented with an argument that I can in turn relay to upstream. After only minimal research into the SELinux API I have some minor concerns about the quality of the patch, but that doesn't tell me that it's *wrong*; it's very possible that this behavior is intentional, and that what's needed here is an update to the Debian SELinux policy. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
