On Sun, 18 Jul 2004 05:53, Thomas Bleher <bleher@informatik.uni-muenchen.de> wrote:
> > kcheckpass should use PAM and therefore use unix_chkpwd.
>
> Doh. Of course you are right. I checked again and kcheckpass does the
> right thing and calls PAM but the SuSE PAM implementation doesn't use
> unix_chkpwd yet.
> So you can dismiss that part of my patch.

http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/pam_unix/unix_chkpwd.c

unix_chkpwd has been around for years, I can't believe that it's something that they haven't got to it yet.

Are you running kcheckpass as root (maybe SETUID)? If so then SUSE would be using PAM without my patch to pam_unix.so which allows unix_chkpwd to be called if /etc/shadow can't be opened as root (without that patch it just aborts). Also does SUSE have unix_verify (again part of my patch) installed? If not then the default policy will not work in all situations...

> > Maybe we should have a suse.te and suse.fc for such things? One thing we
> > want to avoid if possible is having entries in types.fc for distribution
> > specific names which bloat types.fc and make setfiles run more slowly.
>
> I think this is a good idea. I have a few other policy snippets which
> are needed on SuSE but won't be suitable for general policy.
> As a start, I have attached a small suse.te and suse.fc.
> Can this be included in CVS?

I'll put it in my tree, Steve will have to decide about CVS when he next does an update.

# Depends: rpm.te

suse.te needs the above line.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.