Package: xdm Followup-For: Bug #664807 Hi,
Just to be clear, pam_selinux is only available on Linux. Require cannot be used, but [success=ok ignore=ignore module_unknown=ignore default=bad] must be instead. Login is doing the same. Please find an updated patch. Cheers Laurent Bigonville -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- xdm-1.1.11/debian/xdm.pam +++ xdm-1.1.11/debian/xdm.pam @@ -3,7 +3,19 @@ auth required pam_env.so envfile=/etc/default/locale +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_limits.so +@include common-session +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) @include common-auth @include common-account -@include common-session @include common-password