VesperOS/shadow
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move pam_selinux open call higher in the session stack

Browse Source 
Closes: #747313
This commit is contained in:
Laurent Bigonville
2014-05-08 08:46:37 +02:00
committed by Balint Reczey
parent 5a3eada191
commit 60d4dc5ae0
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
debian/login.pam vendored
View File

@@ -35,13 +35,23 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Sets the loginuid process attribute
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
@@ -95,17 +105,7 @@ session optional pam_motd.so
# See comments in /etc/login.defs
session optional pam_mail.so standard
# Sets the loginuid process attribute
session required pam_loginuid.so
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)