tag 707231 +pending thanks On Wed, May 08, 2013 at 01:56:41PM +0200, Laurent Bigonville wrote: > Package: wdm > Version: 1.28-12 > Severity: serious > > Hello, > > Since version 1.28-12, wdm is calling the pam_selinux pam module > (bug #664809). > > The problem is that pam_selinux is only available on linux > architectures. As you made the pam_selinux module "required" in the pam > configuration, this could prevent the user to login on !linux > architectures. > > You should change this to something like: > [success=ok ignore=ignore module_unknown=ignore default=bad]
Thanks for the info. Since I made the change I will also take care of the new change. Unfortunately I cannot build nor sign today or tomorrow, but hope to do that before early next week. If I understand correctly something like attached diff should be enough. Regards, -- Agustin
diff --git a/debian/wdm.pam b/debian/wdm.pam index a0ede74..d0be0d8 100644 --- a/debian/wdm.pam +++ b/debian/wdm.pam @@ -2,6 +2,7 @@ # ------------------------------------------------------------- auth required pam_nologin.so auth required pam_env.so envfile=/etc/default/locale + @include common-auth # ------------------------------------------------------------- @include common-account @@ -9,11 +10,16 @@ auth required pam_env.so envfile=/etc/default/locale # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without out this it is possible # that a module could execute code in the wrong domain. -session required pam_selinux.so close +# pam_selinux is unavailable for !linux, use [...] instead of required. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + session required pam_limits.so session required pam_loginuid.so + @include common-session + # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. -session required pam_selinux.so open +# pam_selinux is unavailable for !linux, use [...] instead of required. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open