Bug#747303: openssh-server: Please move pam_selinux open call higher in the session PAM stack

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#747303: openssh-server: Please move pam_selinux open call higher in the session PAM stack
From: Laurent Bigonville <bigon@debian.org>
Date: Wed, 07 May 2014 12:51:41 +0200
Message-id: <[🔎] 20140507105141.18641.22697.reportbug@soldur.bigon.be>
Reply-to: Laurent Bigonville <bigon@debian.org>, 747303@bugs.debian.org

Package: openssh-server
Version: 1:6.6p1-5
Severity: normal
Tags: patch

Hi,

After looking at Fedora/CentOS ssh pam config file and talking with
people upstream[0]

I think that the call to pam_selinux open should be moved higher in the
session stack (just after pam_loginuid and before pam_keyinit to follow
what Fedora is doing).

Note that any new pam modules should be added after this pam_selinux
open call.

Cheers,

Laurent Bigonville

[0] http://marc.info/?l=selinux&m=139940365925225&w=2

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru openssh-6.6p1/debian/openssh-server.sshd.pam openssh-6.6p1/debian/openssh-server.sshd.pam
--- openssh-6.6p1/debian/openssh-server.sshd.pam	2014-04-21 22:24:51.000000000 +0200
+++ openssh-6.6p1/debian/openssh-server.sshd.pam	2014-05-07 10:48:31.000000000 +0200
@@ -21,6 +21,11 @@
 # Set the loginuid process attribute.
 session    required     pam_loginuid.so
 
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
 # Create a new session keyring.
 session    optional     pam_keyinit.so force revoke
 
@@ -46,10 +51,5 @@
 # /etc/default/locale, so read that as well.
 session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
 
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context.  Only sessions which are intended
-# to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
-
 # Standard Un*x password updating.
 @include common-password

Reply to:

Prev by Date: Processed: retitle 747245 to openssh-server: pam_keyinit available on linux architectures only
Next by Date: openssh 1:6.6p1-5 MIGRATED to testing
Previous by thread: Processed: retitle 747245 to openssh-server: pam_keyinit available on linux architectures only
Next by thread: openssh 1:6.6p1-5 MIGRATED to testing
Index(es):
- Date
- Thread