Stephen Smalley (sds@tycho.nsa.gov) said:
On Wed, 2005-09-21 at 16:13 -0400, Bill Nottingham wrote:
There's an open bug for changing sulogin to handle multiple accounts with uid 0. Wouldn't it also be useful to change it to check roles as well (for strict policy)?
Can you elaborate a little, or point to the bugzilla entry?
135154/168982. Basically, it currently only authenticates as 'root', while the suggestion was to allow it to authenticate as any user who has uid 0, even if that's not 'root'.
It presently just uses the default context for "root" from sulogin's domain, where the default can be altered via the default_contexts configuration. Were you thinking of having it allow the user to select a context if multiple contexts are returned like pam_selinux does?
That's one option. What I initially thought was that, if you have multiple users who are sysadm_r (or whatever), that it would allow you to authenticate as any of them.
Bill