pam_selinux and systemd

pam_selinux requirements are generally pretty simple: its used to associate a context with a login shell. With systemd things have becomes a bit more complicated. systemd uses pam_selinux to associate a context with both a login shell (via container-shell@.service) as well as with a systemd

conditional role and range transitions?

I was just reminded of the fact that role and range transitions cannot be conditional in kernel policy. Is this technically impossible? Why can type transitions be conditional in kernel policy but not role and range transitions? -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D

Re: [PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module

On Tue, 2017-09-05 at 15:24 -0700, Chenbo Feng via Selinux wrote: > On Fri, Sep 1, 2017 at 5:50 AM, Stephen Smalley > wrote: > > On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote: > > > From: Chenbo Feng > > > > > > Introduce 5 LSM hooks to provide finer

Re: pam_selinux and systemd

On Thu, 2017-09-07 at 11:05 +0200, Dominick Grift wrote: > pam_selinux requirements are generally pretty simple: its used to > associate a context with a login shell. > > With systemd things have becomes a bit more complicated. > > systemd uses pam_selinux to associate a context with both a

Re: pam_selinux and systemd

On Thu, Sep 07, 2017 at 04:30:36PM +0200, Dominick Grift wrote: > On Thu, Sep 07, 2017 at 03:56:36PM +0200, Dominick Grift wrote: > > On Thu, Sep 07, 2017 at 03:50:02PM +0200, Dominick Grift wrote: > > > On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote: > > > > On Thu, Sep 07, 2017

Re: pam_selinux and systemd

On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote: > On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote: > > On Thu, 2017-09-07 at 11:05 +0200, Dominick Grift wrote: > > > pam_selinux requirements are generally pretty simple: its used to > > > associate a context with a

Re: pam_selinux and systemd

On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote: > On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote: > > On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote: > > > On Thu, 2017-09-07 at 11:05 +0200, Dominick Grift wrote: > > > > pam_selinux requirements are

Re: pam_selinux and systemd

On Thu, Sep 07, 2017 at 03:56:36PM +0200, Dominick Grift wrote: > On Thu, Sep 07, 2017 at 03:50:02PM +0200, Dominick Grift wrote: > > On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote: > > > On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote: > > > > On Thu, Sep 07, 2017

Re: [PATCH 1/6] libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses

On 09/03/2017 08:19 AM, Nicolas Iooss wrote: When compiling libsepol with clang and some warning flags, the compiler complains about the way IPv6 addresses are initialized: kernel_to_cil.c:2795:35: error: suggest braces around initialization of subobject [-Werror,-Wmissing-braces]

Re: conditional role and range transitions?

On Thu, 2017-09-07 at 14:26 +0200, Dominick Grift wrote: > I was just reminded of the fact that role and range transitions > cannot be conditional in kernel policy. > > Is this technically impossible? Why can type transitions be > conditional in kernel policy but not role and range transitions?

Re: pam_selinux and systemd

On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote: > On Thu, 2017-09-07 at 11:05 +0200, Dominick Grift wrote: > > pam_selinux requirements are generally pretty simple: its used to > > associate a context with a login shell. > > > > With systemd things have becomes a bit more

Re: pam_selinux and systemd

On Thu, Sep 07, 2017 at 03:50:02PM +0200, Dominick Grift wrote: > On Thu, Sep 07, 2017 at 03:30:47PM +0200, Dominick Grift wrote: > > On Thu, Sep 07, 2017 at 03:22:42PM +0200, Dominick Grift wrote: > > > On Thu, Sep 07, 2017 at 08:55:23AM -0400, Stephen Smalley wrote: > > > > On Thu, 2017-09-07 at