On Thu, Mar 08, 2012 at 08:13:10PM +0100, Laurent Bigonville wrote: > On SELinux enabled system, login applications need to call selinux pam > module during the opening of the session to correctly set the user's > security context. In Debian the "login" service is already doing this, > but desktop managers are not. > I would propose to add the needed call to the pam_selinux module in DM > pam services by default. This pam module is installed in the > libpam-modules package, which is (I think) installed by default on > every system. Heh, yes, libpam-modules is a non-removable part of the system. > The pam module needs to be called twice, please see the login pam > service or my patch[0] for gdm3. The module can be 'require'ed if we > are sure it's installed on the system. > Any input on this? > [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661289 This is an obviously-correct change to make; we should have the same handling in gdm and other DMs as we do in login. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature