Adding selinux pam module by default for desktop manager

To: debian-devel@lists.debian.org
Subject: Adding selinux pam module by default for desktop manager
From: Laurent Bigonville <bigon@debian.org>
Date: Thu, 8 Mar 2012 20:13:10 +0100
Message-id: <[🔎] 20120308201310.75f9a0f2@fornost.bigon.be>

Hi,

On SELinux enabled system, login applications need to call selinux pam
module during the opening of the session to correctly set the user's
security context. In Debian the "login" service is already doing this,
but desktop managers are not.

I would propose to add the needed call to the pam_selinux module in DM
pam services by default. This pam module is installed in the
libpam-modules package, which is (I think) installed by default on
every system. On a system where SELinux is disabled, the pam module
should return a success.

The pam module needs to be called twice, please see the login pam
service or my patch[0] for gdm3. The module can be 'require'ed if we
are sure it's installed on the system.

Any input on this?

Cheers

Laurent Bigonville

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661289

Reply to:

Follow-Ups:
- Re: Adding selinux pam module by default for desktop manager
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: upstart: please update to latest upstream version
Next by Date: Re: upstart: please update to latest upstream version
Previous by thread: Bug#663116: ITP: python-neuroshare -- Python interface and tools for Neuroshare
Next by thread: Re: Adding selinux pam module by default for desktop manager
Index(es):
- Date
- Thread