#1445 The SELinux login file needs to be created by the responder, not PAM module
Closed: Fixed None Opened 7 years ago by jhrozek.

The SELinux login file was created by pam_sss. This was wrong, because by the time pam_sss is loaded by the PAM-aware application, it is running with the context of the application, such as sshd_t. This would make it hard for policy writers, to allow creating the file.

It would be better to write the file in responder so that only sssd_t can be allowed to write into /etc/selinux/targeted

master: 300c772

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0
type: defect => task

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.9.0 beta 6

3 years ago

Login to comment on this ticket.