Your message dated Thu, 19 Jan 2017 18:20:00 +0000
with message-id <[email protected]>
and subject line Bug#747313: fixed in shadow 1:4.4-2
has caused the Debian Bug report #747313,
regarding login: Please move pam_selinux open call higher in the session PAM 
stack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
747313: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747313
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: login
Version: 1:4.2-2
Severity: normal
Tags: patch

Hi,

After looking at Fedora/CentOS ssh pam config file and talking with
people upstream[0] I think that the call to pam_selinux open should be
moved higher in the session stack (just after pam_loginuid and before
pam_keyinit to follow what Fedora is doing).

Note that any new pam modules should be added after this pam_selinux
open call.

Cheers,

Laurent Bigonville

[0] http://marc.info/?l=selinux&m=139940365925225&w=2

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages login depends on:
ii  libaudit1       1:2.3.6-1
ii  libc6           2.18-5
ii  libpam-modules  1.1.8-3
ii  libpam-runtime  1.1.8-3
ii  libpam0g        1.1.8-3

login recommends no packages.

login suggests no packages.

-- Configuration Files:
/etc/pam.d/login changed [not included]

-- no debconf information
>From 0955ec4c62dcff4082942b1bcdd48a747f6bab50 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <[email protected]>
Date: Wed, 7 May 2014 14:11:53 +0200
Subject: [PATCH] Move pam_selinux open call higher in the session stack

---
 debian/login.pam | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/debian/login.pam b/debian/login.pam
index 354e62b..dccad1f 100644
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -35,13 +35,23 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 # (Replaces the `NOLOGINS_FILE' option from login.defs)
 auth       requisite  pam_nologin.so
 
-# SELinux needs to be the first session rule. This ensures that any 
-# lingering context has been cleared. Without out this it is possible 
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
 # that a module could execute code in the wrong domain.
 # When the module is present, "required" would be sufficient (When SELinux
 # is disabled, this returns success.)
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
 # This module parses environment configuration file(s)
 # and also allows you to use an extended config
 # file /etc/security/pam_env.conf.
@@ -95,17 +105,7 @@ session    optional   pam_motd.so
 # See comments in /etc/login.defs
 session    optional   pam_mail.so standard
 
-# Sets the loginuid process attribute
-session    required     pam_loginuid.so
-
 # Standard Un*x account and session
 @include common-account
 @include common-session
 @include common-password
-
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context. Only sessions which are
-# intended to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-# When the module is present, "required" would be sufficient (When SELinux
-# is disabled, this returns success.)
-- 
2.0.0.rc2


--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.4-2

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Balint Reczey <[email protected]> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 19 Jan 2017 18:22:49 +0100
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.4-2
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers 
<[email protected]>
Changed-By: Balint Reczey <[email protected]>
Description:
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Closes: 663117 734609 734671 747115 747313 759113 768020 772470 777107 800553 
805182 817971 824391 830255 850338
Changes:
 shadow (1:4.4-2) unstable; urgency=medium
 .
   [ Balint Reczey ]
   * Update homepage to new upstream
   * Always use /bin/sh shell in the build (Closes: #817971)
   * Replace user´s -> user's to make login.def file valid ASCII
     (Closes: #850338)
   * Update patch naming docmentation
   * Fix typos in German man pages (Closes: #734609)
   * Send 1000_configure_userns patch upstream
   * Add call to pam_keyinit for login pam service.
     This module is linux-any only, so copy what openssh has already done and
     remove the call at build time for other architectures.
     The call to this module is needed to have proper per-session kernel
     keyring. (Closes: #734671)
   * Add pts/0 and pts/1 to securetty (Closes: #830255)
   * Add ttySAC* to securetty (Closes: #824391)
   * Add ttySC[4-9] to securetty (Closes: #768020)
 .
   [ Laurent Bigonville ]
   * Move pam_selinux open call higher in the session stack (Closes: #747313)
 .
   [ Christian Perrier ]
   * Fix typos in login.pam (thanks to Jakub Wilk for reporting)
     (Closes: #747115)
   * Include groupmems(8) in the passwd package (Closes: #663117)
 .
   [ Frans Spiesschaert ]
   * Dutch translation update (Closes: #772470)
 .
   [ Trần Ngọc Quân ]
   * Update Vietnamese translation (Closes: #777107)
 .
   [ Miroslav Kuře ]
   * Updated Czech translation. (Closes: #759113)
 .
   [ Holger Wansing ]
   * Update for German man pages
 .
   [ Thomas Blein ]
   * French manpage translation (Closes: #805182)
 .
   [ Lars Bahner ]
   * Fix some spelling issues in the Norwegian translation (Closes: #800553)
Checksums-Sha1:
 78bd8c80c4403467db2ce9fbf2893816ef58c4b2 2262 shadow_4.4-2.dsc
 25d2dfd6ab86a9620cfad9f73735d65271ab28e9 600592 shadow_4.4-2.debian.tar.xz
Checksums-Sha256:
 a57f2b28f751e32b6890c7e1dc1608e5df0a0acd1229239fee902e6586ddf035 2262 
shadow_4.4-2.dsc
 b866a5736664268bc81864278772cd2d5444929d1195a2acd42c5d5245edf486 600592 
shadow_4.4-2.debian.tar.xz
Files:
 e1a9651dffd03b9b0cea69d59453ecca 2262 admin required shadow_4.4-2.dsc
 4992d2679578eed217df2630aba2f860 600592 admin required 
shadow_4.4-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYgP3ZAAoJEPZk0la0aRp9ZC8P/jc+6MTvnpecD8hTY4+ydC43
sB+2v4FyxKuIhLfcwszc1c5jUjLnngnqaXX7XmwHkCyK/JWyB4Y9REHbwjAzgtn+
N/CR4tBOljZOgnv5ZZ9REO0OQ1CkCkffpl4oN2n+qZHv39d97pz75Pz+e/OzEKaC
EfjSFlOa+lNGXbY07pmRTk1cfdRslC3FfUCO86udQOBZ5HugfI1BEV/v84uYx0MS
QIZ9R/kV/H/W6XoQQmhhIwa3AmozLSsNGZAILhAEKUO1LecalI3jm+I2LhE08eh0
ZQ7bWUExv5ILSu8yCieXHJBOy30DyZUWd9CU1/2lTEUGNRjq0JdVZDsmBrTI7Xea
0ks1qyoDmsTmjfrRR9f6J18Lmk4rrMLb+PAd2c3uQDvpK+GFCj3Ls8SArjxEz74Q
4t/I/X3Z9vu9lAoR250aFErJUtOUsVHQA2HwWmyri9uu1SacCTmnIZG+qIunKZTh
nt2iPP6d20kjvNeAqWAx/wIZjQADeuRQzfwu2Bb8fvaJdvNfl/u/tcaS1IQgyGaV
8Q13r2+wOW07cgWCAFyjabEKspCT3pkKY2/qyFPafe2SOGkEoKF7oFUAIEHtdv8I
kSLCUCb10weV1RqdnS+2Rr3HSF+aR79KkSeVer0PVwnjfAMMJQfLm1wMrMgGtRea
qZ8dQfaIYqT/w/fI9kHm
=+z0s
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to