Bug#679458: openssh-server: Please add call to pam_selinux
Package: openssh-server
Version: 1:6.0p1-2
Severity: wishlist
Tags: patch
Hi,
Could you please add the call to pam_selinux in the sshd pam service.
This patch requires #677440 patch to be applied first.
Cheers
Laurent Bigonville
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.4-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru openssh-6.0p1/debian/openssh-server.sshd.pam openssh-6.0p1/debian/openssh-server.sshd.pam
--- openssh-6.0p1/debian/openssh-server.sshd.pam 2012-06-28 22:09:31.000000000 +0200
+++ openssh-6.0p1/debian/openssh-server.sshd.pam 2012-06-28 22:20:39.000000000 +0200
@@ -20,6 +20,11 @@
# Standard Un*x authorization.
@include common-account
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
@@ -38,8 +43,10 @@
# Standard Un*x session setup and teardown.
@include common-session
-# Set up SELinux capabilities (need modified pam)
-# session required pam_selinux.so multiple
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
Reply to: