[OE-core] [PATCH] shadow: remove selinux entry from pam.d/login
SElinux has been disabled in the recipe, leading to messages like this: [ 167.643218] login[312]: PAM unable to dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot open shared object file: No such file or directory [ 167.670837] login[312]: PAM adding faulty module: /lib/security/pam_selinux.so Signed-off-by: Koen Kooi --- meta/recipes-extended/shadow/files/pam.d/login |7 --- meta/recipes-extended/shadow/shadow.inc|2 ++ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login index e41eb04..e4dacc2 100644 --- a/meta/recipes-extended/shadow/files/pam.d/login +++ b/meta/recipes-extended/shadow/files/pam.d/login @@ -26,13 +26,6 @@ auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_secur # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible -# that a module could execute code in the wrong domain. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close - # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 42f92a7..35bd6a8 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -6,6 +6,8 @@ LICENSE = "BSD | Artistic" LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \ file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe" +PR = "r1" + PAM_PLUGINS = " libpam-runtime \ pam-plugin-faildelay \ pam-plugin-securetty \ -- 1.6.6.1 ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] shadow: remove selinux entry from pam.d/login
This one is orthogonal to the other shadow patches by the looks of it. Op 31 mei 2011, om 20:33 heeft Koen Kooi het volgende geschreven: > SElinux has been disabled in the recipe, leading to messages like this: > > [ 167.643218] login[312]: PAM unable to > dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot > open shared object file: No such file or directory > [ 167.670837] login[312]: PAM adding faulty module: > /lib/security/pam_selinux.so > > Signed-off-by: Koen Kooi > --- > meta/recipes-extended/shadow/files/pam.d/login |7 --- > meta/recipes-extended/shadow/shadow.inc|2 ++ > 2 files changed, 2 insertions(+), 7 deletions(-) > > diff --git a/meta/recipes-extended/shadow/files/pam.d/login > b/meta/recipes-extended/shadow/files/pam.d/login > index e41eb04..e4dacc2 100644 > --- a/meta/recipes-extended/shadow/files/pam.d/login > +++ b/meta/recipes-extended/shadow/files/pam.d/login > @@ -26,13 +26,6 @@ auth [success=ok ignore=ignore user_unknown=ignore > default=die] pam_secur > # (Replaces the `NOLOGINS_FILE' option from login.defs) > auth requisite pam_nologin.so > > -# SELinux needs to be the first session rule. This ensures that any > -# lingering context has been cleared. Without out this it is possible > -# that a module could execute code in the wrong domain. > -# When the module is present, "required" would be sufficient (When SELinux > -# is disabled, this returns success.) > -session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > - > # This module parses environment configuration file(s) > # and also allows you to use an extended config > # file /etc/security/pam_env.conf. > diff --git a/meta/recipes-extended/shadow/shadow.inc > b/meta/recipes-extended/shadow/shadow.inc > index 42f92a7..35bd6a8 100644 > --- a/meta/recipes-extended/shadow/shadow.inc > +++ b/meta/recipes-extended/shadow/shadow.inc > @@ -6,6 +6,8 @@ LICENSE = "BSD | Artistic" > LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \ > > file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe" > > +PR = "r1" > + > PAM_PLUGINS = " libpam-runtime \ > pam-plugin-faildelay \ > pam-plugin-securetty \ > -- > 1.6.6.1 > ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] shadow: remove selinux entry from pam.d/login
On 06/01/2011 02:23 AM, Koen Kooi wrote: This one is orthogonal to the other shadow patches by the looks of it. That's how I see it, too. I'll be making a v2 pull request for my user/group addition code, so if your patch makes it into the tree today, I will rebase to it before sending my next pull request. Scott -- Scott Garman Embedded Linux Engineer - Yocto Project Intel Open Source Technology Center ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] shadow: remove selinux entry from pam.d/login
On 05/31/2011 11:33 AM, Koen Kooi wrote: SElinux has been disabled in the recipe, leading to messages like this: [ 167.643218] login[312]: PAM unable to dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot open shared object file: No such file or directory [ 167.670837] login[312]: PAM adding faulty module: /lib/security/pam_selinux.so Signed-off-by: Koen Kooi --- meta/recipes-extended/shadow/files/pam.d/login |7 --- meta/recipes-extended/shadow/shadow.inc|2 ++ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login index e41eb04..e4dacc2 100644 --- a/meta/recipes-extended/shadow/files/pam.d/login +++ b/meta/recipes-extended/shadow/files/pam.d/login @@ -26,13 +26,6 @@ auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_secur # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible -# that a module could execute code in the wrong domain. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close - # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 42f92a7..35bd6a8 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -6,6 +6,8 @@ LICENSE = "BSD | Artistic" LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \ file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe" +PR = "r1" + PAM_PLUGINS = " libpam-runtime \ pam-plugin-faildelay \ pam-plugin-securetty \ Merged into oe-core Thanks Sau! ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
