> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Leibowitz, Michael > Sent: Friday, January 24, 2014 8:57 AM > To: José Bollo > Cc: [email protected] > Subject: Re: [Dev] pam module for Smack > > On Fri, Jan 24, 2014 at 7:20 AM, José Bollo <[email protected]> > wrote: > > On ven, 2014-01-24 at 06:30 -0800, Leibowitz, Michael wrote: > >> On Fri, Jan 24, 2014 at 2:10 AM, José Bollo > ... > >> > How do you plan to modify /usr/sbin/useradd.local ? > >> > >> A good question. The IVI build has a few users defined out of the > >> box. I had been testing with just those users. I would think that > >> for non-system users, the label for now ought to be User. Does this > >> seem reasonable? > > > > I agree that it is reasonable.
Let me go just a tiny bit further. For "regular" logins (not root) the home directory should always be User. At least until Multi-user is sufficiently solid that we start thinking about giving each user their own Smack domain. I don't expect that to happen soon. The only exception will be root logins. When you log in as root you are expected to know what you're doing. Further, whatever Smack label you get (floor, System or User) is not going to be right for what you want to do about 2/3 of the time. So why not set the Smack label for ssh sessions to be User in all cases? That will be right for all non-root logins and for 1/3 of root logins. The root logins will be wrong 2/3 of the time regardless. > > > > My very first idea was to replace SELINUX stuff with something like: > .... > > But surely the multi user configuration is more complex. And setting > > System is maybe wrong. > > > > An other idea, that we are looking, is to put a loop to activate hooks. > > Something like: > > > > for hook in /etc/user.d/useradd/*; do > > [ -x $hook ] && $hook $@ > > done > > > > That would allow packages to add hooks when users are added. > > So, is this an agreeable policy for which label to make? Casey? So the hook would get run with the uid and Smack label of the user? That seems pretty reasonable. The multi-user team will have to buy off on that, of course. With that you need to have stored the Smack label for the user somewhere, but that can wait until we do per-user domains. > Cheers > > > > -- > Michael Leibowitz > _______________________________________________ > Dev mailing list > [email protected] > https://lists.tizen.org/listinfo/dev _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
