Missing selinux support
Bug #1046371 reported by
Michael Terry
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lightdm-remote-session-freerdp (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
During MIR bug 1039636, it was noted that the PAM config profile we ship does not have selinux support. While not a blocker for main inclusion, it would still be good to have.
Revision history for this message
| Steve Langasek (vorlon) wrote | #1 |
To post a comment you must log in.
> Sure, makes sense. We are running the guest session in a locked down
> wrapper that provides some amount of policy. AFAIK this is apparmor
> only. Assuming that the lockdown of the guest session was done for
> SELinux do we have to worry that they'd conflict?
SELinux and apparmor are mutually exclusive. While we don't directly support selinux in Ubuntu, it is available in the archive and users are free to enable it. The concern here is that by not hooking into selinux in the way services are expected to do, someone trying to use the freerdp session on an selinux-enabled system will get a rude surprise: the apparmor policy won't be applied because apparmor isn't used, and the selinux policy won't
be applied because the selinux hooks aren't there, resulting in the session running completely unconfined.