#1445 The SELinux login file needs to be created by the responder, not PAM module
Closed: Fixed None Opened 10 years ago by jhrozek.

The SELinux login file was created by pam_sss. This was wrong, because by the time pam_sss is loaded by the PAM-aware application, it is running with the context of the application, such as sshd_t. This would make it hard for policy writers, to allow creating the file.

It would be better to write the file in responder so that only sssd_t can be allowed to write into /etc/selinux/targeted

master: 300c772

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0
type: defect => task

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.9.0 beta 6

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2487

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.