Bug#747303: openssh-server: Please move pam_selinux open call higher in the session PAM stack
Kindly ping. Anything missing or unclear? Regards, Christian Göttsche
Bug#747303: openssh-server: Please move pam_selinux open call higher in the session PAM stack
control: user selinux-de...@lists.alioth.debian.org control: usertag -1 selinux Hi, an improved patch, which also reorders pam_motd, can be found at https://salsa.debian.org/ssh-team/openssh/-/merge_requests/20.
Bug#747303: openssh-server: Please move pam_selinux open call higher in the session PAM stack
Hi, Please find here a 2nd version of the patch that should apply cleanly with -6. Could you please apply it. Cheers, Laurent Bigonvillediff -Nru openssh-6.6p1/debian/openssh-server.sshd.pam.in openssh-6.6p1/debian/openssh-server.sshd.pam.in --- openssh-6.6p1/debian/openssh-server.sshd.pam.in 2014-06-28 15:36:18.0 +0200 +++ openssh-6.6p1/debian/openssh-server.sshd.pam.in 2014-06-29 20:51:06.0 +0200 @@ -21,6 +21,11 @@ # Set the loginuid process attribute. sessionrequired pam_loginuid.so +# SELinux needs to intervene at login time to ensure that the process starts +# in the proper default security context. Only sessions which are intended +# to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad]pam_selinux.so open + @IF_KEYINIT@# Create a new session keyring. @IF_KEYINIT@sessionoptional pam_keyinit.so force revoke @@ -46,10 +51,5 @@ # /etc/default/locale, so read that as well. sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale -# SELinux needs to intervene at login time to ensure that the process starts -# in the proper default security context. Only sessions which are intended -# to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad]pam_selinux.so open - # Standard Un*x password updating. @include common-password
Bug#747303: openssh-server: Please move pam_selinux open call higher in the session PAM stack
Package: openssh-server Version: 1:6.6p1-5 Severity: normal Tags: patch Hi, After looking at Fedora/CentOS ssh pam config file and talking with people upstream[0] I think that the call to pam_selinux open should be moved higher in the session stack (just after pam_loginuid and before pam_keyinit to follow what Fedora is doing). Note that any new pam modules should be added after this pam_selinux open call. Cheers, Laurent Bigonville [0] http://marc.info/?l=selinuxm=139940365925225w=2 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru openssh-6.6p1/debian/openssh-server.sshd.pam openssh-6.6p1/debian/openssh-server.sshd.pam --- openssh-6.6p1/debian/openssh-server.sshd.pam 2014-04-21 22:24:51.0 +0200 +++ openssh-6.6p1/debian/openssh-server.sshd.pam 2014-05-07 10:48:31.0 +0200 @@ -21,6 +21,11 @@ # Set the loginuid process attribute. sessionrequired pam_loginuid.so +# SELinux needs to intervene at login time to ensure that the process starts +# in the proper default security context. Only sessions which are intended +# to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad]pam_selinux.so open + # Create a new session keyring. sessionoptional pam_keyinit.so force revoke @@ -46,10 +51,5 @@ # /etc/default/locale, so read that as well. sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale -# SELinux needs to intervene at login time to ensure that the process starts -# in the proper default security context. Only sessions which are intended -# to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad]pam_selinux.so open - # Standard Un*x password updating. @include common-password