On Mon, 2007-06-04 at 12:10 -0500, Klaus Weidner wrote:
On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote:
I've implemented some enhancements for pam_namespace which can be used for temporary logons. These enhancements were proposed by Dan Walsh. Please review if you're interested. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825
I like the functionality, but I'm starting to think that pam_namespace may get too complex if too many special cases get added. Rather than implementing a complex ad-hoc language for the namespace conf file, would it make sense to provide the option of calling an external script, giving it username and context etc. as arguments, and using its output as a list of namespace configurations?
That way, you could keep policy decisions in the script.
That would help just with the ~xguest part of the enhancements but this change is really simple and doesn't affect much of the code.
However the temp dir part must be handled in the module directly. The only change could be instead of calling 'rm -rf' directly to call something like namespace.remove script. But as the only logical thing is to remove the temporary directory anyway I don't think it is worth the hassle.
selinux@lists.fedoraproject.org