Package: login
Version: 1:4.2-2
Severity: normal
Tags: patch

Hi,

After looking at Fedora/CentOS ssh pam config file and talking with
people upstream[0] I think that the call to pam_selinux open should be
moved higher in the session stack (just after pam_loginuid and before
pam_keyinit to follow what Fedora is doing).

Note that any new pam modules should be added after this pam_selinux
open call.

Cheers,

Laurent Bigonville

[0] http://marc.info/?l=selinux&m=139940365925225&w=2

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages login depends on:
ii  libaudit1       1:2.3.6-1
ii  libc6           2.18-5
ii  libpam-modules  1.1.8-3
ii  libpam-runtime  1.1.8-3
ii  libpam0g        1.1.8-3

login recommends no packages.

login suggests no packages.

-- Configuration Files:
/etc/pam.d/login changed [not included]

-- no debconf information
>From 0955ec4c62dcff4082942b1bcdd48a747f6bab50 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <[email protected]>
Date: Wed, 7 May 2014 14:11:53 +0200
Subject: [PATCH] Move pam_selinux open call higher in the session stack

---
 debian/login.pam | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/debian/login.pam b/debian/login.pam
index 354e62b..dccad1f 100644
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -35,13 +35,23 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 # (Replaces the `NOLOGINS_FILE' option from login.defs)
 auth       requisite  pam_nologin.so
 
-# SELinux needs to be the first session rule. This ensures that any 
-# lingering context has been cleared. Without out this it is possible 
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
 # that a module could execute code in the wrong domain.
 # When the module is present, "required" would be sufficient (When SELinux
 # is disabled, this returns success.)
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
 # This module parses environment configuration file(s)
 # and also allows you to use an extended config
 # file /etc/security/pam_env.conf.
@@ -95,17 +105,7 @@ session    optional   pam_motd.so
 # See comments in /etc/login.defs
 session    optional   pam_mail.so standard
 
-# Sets the loginuid process attribute
-session    required     pam_loginuid.so
-
 # Standard Un*x account and session
 @include common-account
 @include common-session
 @include common-password
-
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context. Only sessions which are
-# intended to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-# When the module is present, "required" would be sufficient (When SELinux
-# is disabled, this returns success.)
-- 
2.0.0.rc2

Reply via email to