On Wednesday 20 April 2005 23:30, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> Index: macros/program/chkpwd_macros.te
> -can_kerberos(auth_chkpwd)
> -can_ldap(auth_chkpwd)
> -can_resolve(auth_chkpwd)

Why do you remove those? I expect that any daemon that needs access to run unix_chkpwd will need to check account data by LDAP and other means.

I don't have a test network for this at the moment though.

> Here are the changes to the su macros. user_su_t definitely needs the
> "allow $1_su_t self:netlink_audit_socket create_netlink_socket_perms;"
> rule, but now that I look at it again I don't know why I put it in the
> ifdef. The ifdef is not really needed anyway since chkpwd.te is in
> domains/program, not domains/program/unused.

I think it's a good procedure to have the ifdef's. It'll make things easier if we need to make unexpected changes later on.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.