> -----Original Message----- > From: Yin, Kangkai > Sent: Thursday, January 09, 2014 5:41 PM > To: Schaufler, Casey > Cc: José Bollo; [email protected] > Subject: Re: [Dev] pam module for Smack > > On 2014-01-09, 17:57 +0000, Schaufler, Casey wrote: > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of José Bollo > > > Sent: Thursday, January 09, 2014 8:36 AM > > > To: [email protected] > > > Subject: [Dev] pam module for Smack > > > > > > Hi, > > > > > > We are facing problems with the commands 'su' and 'ssh' that don't > > > set the user Smack context. Such a service would naturally be > > > accomplished by PAM the pluggable authentication module that is > > > integrated with well known > > > commands: 'login', 'su', 'ssh' and by other less known as Gnome > > > session manager or weston. > > > > > > Currently, the context is set by systemd. I would like to know if > > > there is a reason that explains that systemd doesn't use login+pam > > > to achieve that behaviour? > > > > The reason is that systemd (currently) creates the user session > > without a login process. Going forward that does have to change. The > > user session is started in the "User" domain. This results in all of > > the processes spawned in the user session to be in the "User" > > domain. That's very clean. > > Yep, as long as the user session processes are spawned though > [email protected], they've been set "User" label already.
So if we started the sshd service with the User label that should be fine, too. > The problem here is the shell su/ssh give to you is not come out though that > path: > > bash-4.2# systemd-cgls --no-pager > ├─user.slice > │ ├─user-0.slice > │ │ ├─session-c2.scope > │ │ │ ├─716 su > │ │ │ ├─729 bash > │ │ │ └─914 systemd-cgls --no-pager > │ │ └─[email protected] > │ │ ├─726 /usr/lib/systemd/systemd --user > ... > │ └─user-5000.slice > │ ├─session-c1.scope > │ │ └─296 /usr/bin/user-session-launch seat0 5000 > │ └─[email protected] > │ ├─297 /usr/lib/systemd/systemd --user > ... > └─system.slice > ├─1 /sbin/init > ... > ├─system-server.service > │ ├─240 /usr/bin/system_server > │ ├─242 /usr/bin/usb-server > │ ├─252 /usr/bin/data-router > │ ├─255 /sbin/sdbd > │ └─695 /bin/sh - > > Hence seem the shell is inherit the "System" label. > > /Kangkai _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
