Bug#747303: openssh-server: Please move pam_selinux open call higher in the session PAM stack
Package: openssh-server
Version: 1:6.6p1-5
Severity: normal
Tags: patch
Hi,
After looking at Fedora/CentOS ssh pam config file and talking with
people upstream[0]
I think that the call to pam_selinux open should be moved higher in the
session stack (just after pam_loginuid and before pam_keyinit to follow
what Fedora is doing).
Note that any new pam modules should be added after this pam_selinux
open call.
Cheers,
Laurent Bigonville
[0] http://marc.info/?l=selinux&m=139940365925225&w=2
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru openssh-6.6p1/debian/openssh-server.sshd.pam openssh-6.6p1/debian/openssh-server.sshd.pam
--- openssh-6.6p1/debian/openssh-server.sshd.pam 2014-04-21 22:24:51.000000000 +0200
+++ openssh-6.6p1/debian/openssh-server.sshd.pam 2014-05-07 10:48:31.000000000 +0200
@@ -21,6 +21,11 @@
# Set the loginuid process attribute.
session required pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context. Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+
# Create a new session keyring.
session optional pam_keyinit.so force revoke
@@ -46,10 +51,5 @@
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context. Only sessions which are intended
-# to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-
# Standard Un*x password updating.
@include common-password
Reply to: