pam_zfs_key: Add SELinux policy for PAM module #13271
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
On a system running with SELinux enforcing,
pam_zfs_key
can be denied the access it needs. While this doesn't affect unconfined processes (assudo -u
andsu
commonly would be), targeted processes (likesshd
) are unable to unlock (or even find) the user's dataset.Description
This pull request adds a loadable SELinux policy module to the repository, allowing systems using SELinux to make full use of the PAM module. The module adds as few permissions as possible to keep the attack surface small, thus maintaining the benefits of using SELinux.
How Has This Been Tested?
/home
, for easier testing)keystatus
for encrypted home dataset and found itunavailable
keystatus
for encrypted home dataset and found itavailable
passwd
keystatus
for encrypted home dataset; found itunavailable
keystatus
for encrypted home dataset and found itavailable
Types of changes
Checklist:
Signed-off-by
.