Linda Knippers wrote:
Klaus Weidner wrote:
On Wed, Mar 21, 2007 at 06:28:18PM -0400, Linda Knippers wrote:
I'm doing some testing on a system installed in 'capp' mode and when
I login I get a prompt to select a different context, which doesn't
seem right. I think for a capp installation we don't want the
"select_context" option on pam_selinux.so in /etc/pam.d/login.
I'm still using 0.19 of the ks scripts and rpm but I just looked
at the sources for .21 and they look the same in this area.
Sorry about the late reply, I had missed the message.
The intent is that in CAPP mode, people can still use SELinux including
roles, there just are not any security claims about it.
I didn't think roles were really supported with the targeted policy
though, meaning there's really just one role. I think someone would
have to do alot of policy modification (ala strict) to have something
useful. Or am I missing something?
We are adding roles support to targeted policy for FC7 and beyond, but
select_context should not be used in targeted policy.
The
select_context setting is optional in this case, it's in there by default
because the script currently doesn't support conditional pam config
files.
I might look at fixing that then. I don't want to present users
with a question that doesn't make sense for their configuration.
-- ljk
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
