Bug#664807: xdm: Please add calls to pam_selinux module in pam files
Package: xdm
Followup-For: Bug #664807
Hi,
I think that the attached patch should do it.
This is basically what login is doing.
Cheers
Laurent Bigonville
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- xdm-1.1.11/debian/xdm.pam
+++ xdm-1.1.11/debian/xdm.pam
@@ -3,7 +3,19 @@
auth required pam_env.so envfile=/etc/default/locale
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session required pam_selinux.so close
session required pam_limits.so
+@include common-session
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session required pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
@include common-auth
@include common-account
-@include common-session
@include common-password
Reply to: