Comment 7 for bug 1039636

On Sun, 2012-09-02 at 10:21 +0000, Steve Langasek wrote:
> - common-auth and common-session are not included (as commented
> above). This makes sense given the intent to provide freerdp
> authentication, but it's a very non-PAM-ish way to do it. Why, for
> instance, is this not done as a pam-auth-update profile for the
> freerdp module, which enables freerdp as one of the available methods
> for authenticating to a single lightdm service? Looking at the
> source, apparently the answer is that we want to use freerdp
> authentication only for a freerdp session, so it is indeed a different
> service from lightdm' standard usage; so that's a perfectly fine
> answer, and shouldn't be a blocker for main IMHO.

Yes, we don't want to use it for local account authentication. This is
why I thought using the common* path should not be included. I'd be
happy to add it if you think it should be there blocker or not.

> - gnome-keyring and selinux modules, used in the standard lightdm
> config, aren't mentioned here. I guess gnome-keyring doesn't matter
> at all if the session just launches an rdp client; but shouldn't the
> selinux policy still be applied (if selinux is in use)?

Sure, makes sense. We are running the guest session in a locked down
wrapper that provides some amount of policy. AFAIK this is apparmor
only. Assuming that the lockdown of the guest session was done for
SELinux do we have to worry that they'd conflict?