#1439 sss_pam needs to write out SELinux login file during the account phase
Closed: Fixed None Opened 6 years ago by jhrozek.

It turns out that the current way of writing the SELinux login file during the account phase wouldn't work well for IPA clients. The reason is that the login file must be in place before "pam_selinux.so open" is called in the session stack. That happens before any of the processes are executed on behalf of the user, that's before the service config file include password-auth or system-auth.

We could in theory change authconfig to include pam_sss.so before pam_selinux.so open in the session stack, but that would require changing quite a few config files.

Because we need the login file to be present even before pam_sss's session management start, we should move it to the account phase.


I consulted this issue with maintainer of PAM and AuthConfig in Fedora. Long story short, writing the SELinux file in account stack is the only option we have.

However this can bring some difficulties, the SELinux provider can't be a part of access provider, as user might want to use different access provider than SELinux provider.

I propose following solution: we will add new type of PAM command to PAM responder: PAM_CMD_SELINUX. PAM responder will detect when PAM_ACCT_MGMT is completed by provider and after that it will create the new request and send it to the backend. Only after that it will return control to the PAM module. I already have a proof-of-concept patch, I will send it to the list momentarily.

Fields changed

patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6

Fixed in master:

- 7016947229edcaa268a82bf69fde37e521b13233
- 38e2ec1c757955ab557fd95807afa58042d09482

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @jhrozek:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 6

2 years ago

Login to comment on this ticket.

Metadata