Package: login Version: 1:4.2-2 Severity: normal Tags: patch Hi,
After looking at Fedora/CentOS ssh pam config file and talking with people upstream[0] I think that the call to pam_selinux open should be moved higher in the session stack (just after pam_loginuid and before pam_keyinit to follow what Fedora is doing). Note that any new pam modules should be added after this pam_selinux open call. Cheers, Laurent Bigonville [0] http://marc.info/?l=selinux&m=139940365925225&w=2 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages login depends on: ii libaudit1 1:2.3.6-1 ii libc6 2.18-5 ii libpam-modules 1.1.8-3 ii libpam-runtime 1.1.8-3 ii libpam0g 1.1.8-3 login recommends no packages. login suggests no packages. -- Configuration Files: /etc/pam.d/login changed [not included] -- no debconf information
>From 0955ec4c62dcff4082942b1bcdd48a747f6bab50 Mon Sep 17 00:00:00 2001 From: Laurent Bigonville <[email protected]> Date: Wed, 7 May 2014 14:11:53 +0200 Subject: [PATCH] Move pam_selinux open call higher in the session stack --- debian/login.pam | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/debian/login.pam b/debian/login.pam index 354e62b..dccad1f 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -35,13 +35,23 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +# Sets the loginuid process attribute +session required pam_loginuid.so + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) + # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. @@ -95,17 +105,7 @@ session optional pam_motd.so # See comments in /etc/login.defs session optional pam_mail.so standard -# Sets the loginuid process attribute -session required pam_loginuid.so - # Standard Un*x account and session @include common-account @include common-session @include common-password - -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -- 2.0.0.rc2

