[Pkg-shadow-commits] r2920 - debian/trunk/debian

Nicolas FRANÇOIS nekral-guest at alioth.debian.org
Thu May 14 19:11:38 UTC 2009 

Author: nekral-guest
Date: 2009-05-14 19:11:38 +0000 (Thu, 14 May 2009)
New Revision: 2920

Modified:
   debian/trunk/debian/changelog
   debian/trunk/debian/login.pam
Log:
  * debian/login.pam: Ignore pam_selinux.so failures when the module do not
    exist. A required pam_selinux.so makes login fail when the module does not
    exist (e.g. on architecture without SE Linux support). Closes: #528673


Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog	2009-05-12 20:05:53 UTC (rev 2919)
+++ debian/trunk/debian/changelog	2009-05-14 19:11:38 UTC (rev 2920)
@@ -6,8 +6,11 @@
   * debian/login.postinst: Install /var/log/faillog during initial installs
     only. This permits admins to disable failed logins recording.
     Closes: #488420
+  * debian/login.pam: Ignore pam_selinux.so failures when the module do not
+    exist. A required pam_selinux.so makes login fail when the module does not
+    exist (e.g. on architecture without SE Linux support). Closes: #528673
 
- -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Mon, 11 May 2009 22:39:07 +0200
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Thu, 14 May 2009 21:08:09 +0200
 
 shadow (1:4.1.4-1) unstable; urgency=low
 

Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam	2009-05-12 20:05:53 UTC (rev 2919)
+++ debian/trunk/debian/login.pam	2009-05-14 19:11:38 UTC (rev 2920)
@@ -28,9 +28,10 @@
 
 # SELinux needs to be the first session rule. This ensures that any 
 # lingering context has been cleared. Without out this it is possible 
-# that a module could execute code in the wrong domain.  (When SELinux
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
 # is disabled, this returns success.)
-session    required   pam_selinux.so close
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 
 # This module parses environment configuration file(s)
 # and also allows you to use an extended config
@@ -91,6 +92,7 @@
 
 # SELinux needs to intervene at login time to ensure that the process
 # starts in the proper default security context. Only sessions which are
-# intended to run in the user's context should be run after this.  (When
-# SELinux is disabled, this returns success.)
+# intended to run in the user's context should be run after this.
 session required pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)

More information about the Pkg-shadow-commits mailing list