[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Adding selinux pam module by default for desktop manager

On Thu, Mar 08, 2012 at 08:13:10PM +0100, Laurent Bigonville wrote:
> On SELinux enabled system, login applications need to call selinux pam
> module during the opening of the session to correctly set the user's
> security context. In Debian the "login" service is already doing this,
> but desktop managers are not.

> I would propose to add the needed call to the pam_selinux module in DM
> pam services by default. This pam module is installed in the
> libpam-modules package, which is (I think) installed by default on
> every system.

Heh, yes, libpam-modules is a non-removable part of the system.

> The pam module needs to be called twice, please see the login pam
> service or my patch[0] for gdm3. The module can be 'require'ed if we
> are sure it's installed on the system.

> Any input on this?

> [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661289

This is an obviously-correct change to make; we should have the same
handling in gdm and other DMs as we do in login.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: