[refpolicy] useradd/passwd patch
Russell Coker
russell at coker.com.au
Fri Sep 26 15:30:12 CDT 2008
On Friday 26 September 2008 22:45, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > It might make some sense to only check the password in one way (IE call
> > the executable even when running as root without SE Linux) as it's not
> > something that happens often enough to cause performance. But in that
> > case I think that the suitably privileged domains should be permitted to
> > execute unix_chkpwd in the same domain.
>
> And how is this more or less secure?
Having only one code path to audit can only be a win for security.
If a domain is permitted to write to shadow_t then having unix_chkpwd executed
in the same domain doesn't make any difference to security but will reduce
the size of the policy a little.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
More information about the refpolicy
mailing list