[Pkg-shadow-commits] r2885 - debian/trunk/debian
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Sat May 9 21:34:55 UTC 2009
Author: nekral-guest
Date: 2009-05-09 21:34:55 +0000 (Sat, 09 May 2009)
New Revision: 2885
Modified:
debian/trunk/debian/changelog
debian/trunk/debian/login.pam
Log:
* debian/login.pam: Updated support for SELinux. Closes: #527106
Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog 2009-05-09 21:27:32 UTC (rev 2884)
+++ debian/trunk/debian/changelog 2009-05-09 21:34:55 UTC (rev 2885)
@@ -24,8 +24,9 @@
Install the newusers and chpasswd PAM service configuration files.
newusers and chpasswd now use PAM to update the passwords.
Closes: #525153
+ * debian/login.pam: Updated support for SELinux. Closes: #527106
- -- Christian Perrier <bubulle at debian.org> Sat, 09 May 2009 23:21:05 +0200
+ -- Christian Perrier <bubulle at debian.org> Sat, 09 May 2009 23:28:08 +0200
shadow (1:4.1.3.1-1) unstable; urgency=low
Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam 2009-05-09 21:27:32 UTC (rev 2884)
+++ debian/trunk/debian/login.pam 2009-05-09 21:34:55 UTC (rev 2885)
@@ -26,6 +26,12 @@
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain. (When SELinux
+# is disabled, this returns success.)
+session required pam_selinux.so close
+
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
@@ -78,12 +84,13 @@
# See comments in /etc/login.defs
session optional pam_mail.so standard
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context.
-# Uncomment the following line to enable SELinux
-# session required pam_selinux.so select_context
-
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this. (When
+# SELinux is disabled, this returns success.)
+session required pam_selinux.so open
More information about the Pkg-shadow-commits
mailing list