From 6ff5ab6af49217ac6e4d6e1d9c63c1e7ab26c501 Mon Sep 17 00:00:00 2001 From: nekral-guest Date: Thu, 14 May 2009 19:11:38 +0000 Subject: [PATCH] * debian/login.pam: Ignore pam_selinux.so failures when the module do not exist. A required pam_selinux.so makes login fail when the module does not exist (e.g. on architecture without SE Linux support). Closes: #528673 --- debian/changelog | 5 ++++- debian/login.pam | 10 ++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index d571b6dc..28966852 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,8 +6,11 @@ shadow (1:4.1.4-2) unstable; urgency=low * debian/login.postinst: Install /var/log/faillog during initial installs only. This permits admins to disable failed logins recording. Closes: #488420 + * debian/login.pam: Ignore pam_selinux.so failures when the module do not + exist. A required pam_selinux.so makes login fail when the module does not + exist (e.g. on architecture without SE Linux support). Closes: #528673 - -- Nicolas FRANCOIS (Nekral) Mon, 11 May 2009 22:39:07 +0200 + -- Nicolas FRANCOIS (Nekral) Thu, 14 May 2009 21:08:09 +0200 shadow (1:4.1.4-1) unstable; urgency=low diff --git a/debian/login.pam b/debian/login.pam index 0aec30ae..bdf85375 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -28,9 +28,10 @@ auth requisite pam_nologin.so # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without out this it is possible -# that a module could execute code in the wrong domain. (When SELinux +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) -session required pam_selinux.so close +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # This module parses environment configuration file(s) # and also allows you to use an extended config @@ -91,6 +92,7 @@ session optional pam_mail.so standard # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. (When -# SELinux is disabled, this returns success.) +# intended to run in the user's context should be run after this. session required pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.)