From 4d8a10d86cca3de958a2d02d3db666f4c5c8a2cf Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Tue, 3 Sep 2019 16:48:39 +0200 Subject: [PATCH] Move the call to pam_motd before pam_selinux open pam_selinux calls setexeccon() with the context of the user, that means that the first execve() after the call to "pam_selinux open" will be executed in the user's context. As pam_motd in debian calls system() to run run-parts to generate the motd dynamically we need to be sure that this is done before that so it runs in the context of the login executable. --- debian/login.pam | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/debian/login.pam b/debian/login.pam index 3226fe2d..553145fa 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -26,9 +26,19 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux # Sets the loginuid process attribute session required pam_loginuid.so +# Prints the message of the day upon successful login. +# (Replaces the `MOTD_FILE' option in login.defs) +# This includes a dynamically generated part from /run/motd.dynamic +# and a static (admin-editable) part from /etc/motd. +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate + # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. +# pam_selinux.so changes the SELinux context of the used TTY and configures +# SELinux in order to transition to the user context with the next execve() +# call. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) @@ -71,13 +81,6 @@ session required pam_limits.so # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so -# Prints the message of the day upon successful login. -# (Replaces the `MOTD_FILE' option in login.defs) -# This includes a dynamically generated part from /run/motd.dynamic -# and a static (admin-editable) part from /etc/motd. -session optional pam_motd.so motd=/run/motd.dynamic -session optional pam_motd.so noupdate - # Prints the status of the user's mailbox upon successful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). #