[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#679458: openssh-server: Please add call to pam_selinux

Package: openssh-server
Version: 1:6.0p1-2
Severity: wishlist
Tags: patch


Could you please add the call to pam_selinux in the sshd pam service.

This patch requires #677440 patch to be applied first.


Laurent Bigonville

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.4-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru openssh-6.0p1/debian/openssh-server.sshd.pam openssh-6.0p1/debian/openssh-server.sshd.pam
--- openssh-6.0p1/debian/openssh-server.sshd.pam	2012-06-28 22:09:31.000000000 +0200
+++ openssh-6.0p1/debian/openssh-server.sshd.pam	2012-06-28 22:20:39.000000000 +0200
@@ -20,6 +20,11 @@
 # Standard Un*x authorization.
 @include common-account
+# SELinux needs to be the first session rule. This ensures that any 
+# lingering context has been cleared. Without out this it is possible 
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
 # Print the message of the day upon successful login.
 # This includes a dynamically generated part from /run/motd.dynamic
 # and a static (admin-editable) part from /etc/motd.
@@ -38,8 +43,10 @@
 # Standard Un*x session setup and teardown.
 @include common-session
-# Set up SELinux capabilities (need modified pam)
-# session  required     pam_selinux.so multiple
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
 # Standard Un*x password updating.
 @include common-password

Reply to: