[Pkg-shadow-commits] r2885 - debian/trunk/debian

Nicolas FRANÇOIS nekral-guest at alioth.debian.org
Sat May 9 21:34:55 UTC 2009 

Author: nekral-guest
Date: 2009-05-09 21:34:55 +0000 (Sat, 09 May 2009)
New Revision: 2885

Modified:
   debian/trunk/debian/changelog
   debian/trunk/debian/login.pam
Log:
  * debian/login.pam: Updated support for SELinux. Closes: #527106


Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog	2009-05-09 21:27:32 UTC (rev 2884)
+++ debian/trunk/debian/changelog	2009-05-09 21:34:55 UTC (rev 2885)
@@ -24,8 +24,9 @@
     Install the newusers and chpasswd PAM service configuration files.
     newusers and chpasswd now use PAM to update the passwords.
     Closes: #525153
+  * debian/login.pam: Updated support for SELinux. Closes: #527106
 
- -- Christian Perrier <bubulle at debian.org>  Sat, 09 May 2009 23:21:05 +0200
+ -- Christian Perrier <bubulle at debian.org>  Sat, 09 May 2009 23:28:08 +0200
 
 shadow (1:4.1.3.1-1) unstable; urgency=low
 

Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam	2009-05-09 21:27:32 UTC (rev 2884)
+++ debian/trunk/debian/login.pam	2009-05-09 21:34:55 UTC (rev 2885)
@@ -26,6 +26,12 @@
 # (Replaces the `NOLOGINS_FILE' option from login.defs)
 auth       requisite  pam_nologin.so
 
+# SELinux needs to be the first session rule. This ensures that any 
+# lingering context has been cleared. Without out this it is possible 
+# that a module could execute code in the wrong domain.  (When SELinux
+# is disabled, this returns success.)
+session    required   pam_selinux.so close
+
 # This module parses environment configuration file(s)
 # and also allows you to use an extended config
 # file /etc/security/pam_env.conf.
@@ -78,12 +84,13 @@
 # See comments in /etc/login.defs
 session    optional   pam_mail.so standard
 
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context.
-# Uncomment the following line to enable SELinux
-# session required pam_selinux.so select_context
-
 # Standard Un*x account and session
 @include common-account
 @include common-session
 @include common-password
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.  (When
+# SELinux is disabled, this returns success.)
+session required pam_selinux.so open

More information about the Pkg-shadow-commits mailing list