Package: shadow Version: 1:4.1.3.1-1 Severity: normal Tags: patch User: [email protected] Usertags: origin-ubuntu karmic ubuntu-patch
Hello, The following patch allows for SELinux to be enabled for login (and does not get in the way if SELinux is not enabled). Thanks, -Kees -- Kees Cook @debian.org
diff -pruN 1:4.1.1-6/debian/login.pam 1:4.1.1-6ubuntu6/debian/login.pam --- 1:4.1.1-6/debian/login.pam 2009-04-04 09:22:54.000000000 +0100 +++ 1:4.1.1-6ubuntu6/debian/login.pam 2009-04-04 09:21:40.000000000 +0100 @@ -20,6 +20,12 @@ auth [success=ok ignore=ignore use # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. (When SELinux +# is disabled, this returns success.) +session required pam_selinux.so close + # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. @@ -72,12 +78,13 @@ session optional pam_motd.so # See comments in /etc/login.defs session optional pam_mail.so standard -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. -# Uncomment the following line to enable SELinux -# session required pam_selinux.so select_context - # Standard Un*x account and session @include common-account @include common-session @include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. (When +# SELinux is disabled, this returns success.) +session required pam_selinux.so open
