SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RE: newrole in the background This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Reed, Tim \(US SSA\) <tim.reed_at_baesystems.com> Date: Wed, 12 Dec 2007 10:47:56 -0800 I have made my modifications to newrole. Is there any testcases or documentation on what needs to be tested before submitting a patch? With the minimal testing that I have done everything appears to be working correctly. Attached is the patch file. Please review and comment. Thanks! Tim -----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, December 11, 2007 1:18 PM To: Xavier Toth Cc: Reed, Tim (US SSA); selinux@tycho.nsa.gov Subject: Re: newrole in the background On Tue, 2007-12-11 at 10:06 -0600, Xavier Toth wrote: > We ended up creating a variant of newrole which doesn't require tty > access. We did this to run some of our applications in the background > but still get newroles ability to set the context/level of the child > and to create a pam session for polyinstantiation. For this to work we > had to configure our apps into our variants equivalent of > /etc/selinux/newrole_pam.conf and provide corresponding /etc/pam.d > files which typically look like : *> #%PAM-1.0* > auth required pam_permit.so > account required pam_permit.so > password required pam_permit.so > session required pam_mkpolydir.so debug > session required pam_namespace.so unmnt_remnt > no_unmount_on_close gen_hash ignore_instance_parent_mode debug > > This variant was based on a Fedora policysoreutils source rpm because > the RHEL5 version doesn't contain the code to map applications to > /etc/pam.d files using /etc/selinux/newrole_pam.conf. As a workaround, you could certainly create a pty in your application and use that for newrole - that woudl let you use newrole unmodified. As a longer term solution, I'd suggest making a patch for newrole that allows it to gracefully function even in the absence of a tty, and get that upstreamed, so that you can use newrole as is. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. application/octet-stream attachment: newrole_no_tty.patch Received on Wed 12 Dec 2007 - 13:48:20 EST This message: [ Message body ] Next message: Joshua Brindle: "Re: PATCH: libsepol should not write policy.18 with mls enabled" Previous message: Stephen Smalley: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" In reply to: Stephen Smalley: "Re: newrole in the background" Next in thread: Ted X Toth: "Re: newrole in the background" Reply: Ted X Toth: "Re: newrole in the background" Reply: Stephen Smalley: "RE: newrole in the background" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom