Login
/etc/pam.d/ ssh 和登錄規則
在
/etc/pam.d/,配置文件對於sshd和login有一些規則selinux。當我不使用 selinux 時,我可以簡單地禁用這些行嗎?我想簡化 pam 規則。具體來說,這些行是:
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open我要求確定,因為我認為有時天真地註釋行可能會干擾通過規則的 tte 流程。
完整
sshd配置如下:# PAM configuration for the Secure Shell service # Standard Un*x authentication. @include common-auth # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. # Without this it is possible that a module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password
pam_selinux.so為 PAM 會話設置 SELinux 安全上下文。如果 SELinux 被禁用,則 PAM 模組將沒有任何影響,可以將其刪除。請注意,如果 SELinux 處於許可模式,SELinux 規則仍會使用但不會強制執行。刪除
pam_selinux.so將導致程序在不正確的安全上下文中執行,這可能會在審計日誌中生成大量 AVC 拒絕消息。如果稍後啟用 SELinux,則
pam_selinux.so需要在 PAM 配置中才能使使用者登錄正常工作。
我認為如果您不確切知道這意味著什麼,那麼在嘗試刪除 pam config 中的 2 行之前,您可以在配置文件中簡化很多事情。這是我的 2 美分,因為我對 pam 一無所知。