Bug#707231: wdm: pam_selinux is not available on !linux

To: Laurent Bigonville <bigon@debian.org>, 707231@bugs.debian.org
Subject: Bug#707231: wdm: pam_selinux is not available on !linux
From: Agustin Martin <agmartin@debian.org>
Date: Wed, 8 May 2013 20:38:15 +0200
Message-id: <[🔎] 20130508183815.GA8495@agmartin.aq.upm.es>
Reply-to: Agustin Martin <agmartin@debian.org>, 707231@bugs.debian.org
In-reply-to: <[🔎] 20130508115641.22496.42843.reportbug@soldur.bigon.be>
References: <[🔎] 20130508115641.22496.42843.reportbug@soldur.bigon.be>

tag 707231 +pending
thanks

On Wed, May 08, 2013 at 01:56:41PM +0200, Laurent Bigonville wrote:
> Package: wdm
> Version: 1.28-12
> Severity: serious
> 
> Hello,
> 
> Since version 1.28-12, wdm is calling the pam_selinux pam module
> (bug #664809).
> 
> The problem is that pam_selinux is only available on linux
> architectures. As you made the pam_selinux module "required" in the pam
> configuration, this could prevent the user to login on !linux
> architectures.
> 
> You should change this to something like:
> [success=ok ignore=ignore module_unknown=ignore default=bad]

Thanks for the info. Since I made the change I will also take care of the
new change. Unfortunately I cannot build nor sign today or tomorrow, but
hope to do that before early next week.

If I understand correctly something like attached diff should be enough.

Regards,

-- 
Agustin

diff --git a/debian/wdm.pam b/debian/wdm.pam
index a0ede74..d0be0d8 100644
--- a/debian/wdm.pam
+++ b/debian/wdm.pam
@@ -2,6 +2,7 @@
 # -------------------------------------------------------------
 auth            required        pam_nologin.so
 auth            required        pam_env.so envfile=/etc/default/locale
+
 @include common-auth
 # -------------------------------------------------------------
 @include common-account
@@ -9,11 +10,16 @@ auth            required        pam_env.so envfile=/etc/default/locale
 # SELinux needs to be the first session rule. This ensures that any
 # lingering context has been cleared. Without out this it is possible
 # that a module could execute code in the wrong domain.
-session	        required        pam_selinux.so close
+# pam_selinux is unavailable for !linux, use [...] instead of required.
+session	 [success=ok ignore=ignore module_unknown=ignore default=bad]   pam_selinux.so close
+
 session	 required        pam_limits.so
 session	 required        pam_loginuid.so
+
 @include common-session
+
 # SELinux needs to intervene at login time to ensure that the process
 # starts in the proper default security context. Only sessions which are
 # intended to run in the user's context should be run after this.
-session required        pam_selinux.so open
+# pam_selinux is unavailable for !linux, use [...] instead of required.
+session	 [success=ok ignore=ignore module_unknown=ignore default=bad]   pam_selinux.so open

Reply to:

Follow-Ups:
- Processed: Re: Bug#707231: wdm: pam_selinux is not available on !linux
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#707231: wdm: pam_selinux is not available on !linux
  - From: Laurent Bigonville <bigon@debian.org>

References:
- Bug#707231: wdm: pam_selinux is not available on !linux
  - From: Laurent Bigonville <bigon@debian.org>

Prev by Date: Processed: Re: Bug#707231: wdm: pam_selinux is not available on !linux
Next by Date: Bug#706632: efibootmgr: I confirm this bug
Previous by thread: Bug#707231: wdm: pam_selinux is not available on !linux
Next by thread: Processed: Re: Bug#707231: wdm: pam_selinux is not available on !linux
Index(es):
- Date
- Thread