Bug#707231: wdm: pam_selinux is not available on !linux
tag 707231 +pending
thanks
On Wed, May 08, 2013 at 01:56:41PM +0200, Laurent Bigonville wrote:
> Package: wdm
> Version: 1.28-12
> Severity: serious
>
> Hello,
>
> Since version 1.28-12, wdm is calling the pam_selinux pam module
> (bug #664809).
>
> The problem is that pam_selinux is only available on linux
> architectures. As you made the pam_selinux module "required" in the pam
> configuration, this could prevent the user to login on !linux
> architectures.
>
> You should change this to something like:
> [success=ok ignore=ignore module_unknown=ignore default=bad]
Thanks for the info. Since I made the change I will also take care of the
new change. Unfortunately I cannot build nor sign today or tomorrow, but
hope to do that before early next week.
If I understand correctly something like attached diff should be enough.
Regards,
--
Agustin
diff --git a/debian/wdm.pam b/debian/wdm.pam
index a0ede74..d0be0d8 100644
--- a/debian/wdm.pam
+++ b/debian/wdm.pam
@@ -2,6 +2,7 @@
# -------------------------------------------------------------
auth required pam_nologin.so
auth required pam_env.so envfile=/etc/default/locale
+
@include common-auth
# -------------------------------------------------------------
@include common-account
@@ -9,11 +10,16 @@ auth required pam_env.so envfile=/etc/default/locale
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain.
-session required pam_selinux.so close
+# pam_selinux is unavailable for !linux, use [...] instead of required.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
session required pam_limits.so
session required pam_loginuid.so
+
@include common-session
+
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
-session required pam_selinux.so open
+# pam_selinux is unavailable for !linux, use [...] instead of required.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
Reply to: