FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 03-08-2012, 06:13 PM
Laurent Bigonville
 
Default Adding selinux pam module by default for desktop manager

Hi,

On SELinux enabled system, login applications need to call selinux pam
module during the opening of the session to correctly set the user's
security context. In Debian the "login" service is already doing this,
but desktop managers are not.

I would propose to add the needed call to the pam_selinux module in DM
pam services by default. This pam module is installed in the
libpam-modules package, which is (I think) installed by default on
every system. On a system where SELinux is disabled, the pam module
should return a success.

The pam module needs to be called twice, please see the login pam
service or my patch[0] for gdm3. The module can be 'require'ed if we
are sure it's installed on the system.

Any input on this?

Cheers

Laurent Bigonville

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661289


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120308201310.75f9a0f2@fornost.bigon.be">http://lists.debian.org/20120308201310.75f9a0f2@fornost.bigon.be
 
Old 03-18-2012, 01:38 AM
Steve Langasek
 
Default Adding selinux pam module by default for desktop manager

On Thu, Mar 08, 2012 at 08:13:10PM +0100, Laurent Bigonville wrote:
> On SELinux enabled system, login applications need to call selinux pam
> module during the opening of the session to correctly set the user's
> security context. In Debian the "login" service is already doing this,
> but desktop managers are not.

> I would propose to add the needed call to the pam_selinux module in DM
> pam services by default. This pam module is installed in the
> libpam-modules package, which is (I think) installed by default on
> every system.

Heh, yes, libpam-modules is a non-removable part of the system.

> The pam module needs to be called twice, please see the login pam
> service or my patch[0] for gdm3. The module can be 'require'ed if we
> are sure it's installed on the system.

> Any input on this?

> [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661289

This is an obviously-correct change to make; we should have the same
handling in gdm and other DMs as we do in login.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
 

Thread Tools




All times are GMT. The time now is 11:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org