Adding selinux pam module by default for desktop manager
On Thu, Mar 08, 2012 at 08:13:10PM +0100, Laurent Bigonville wrote:
> On SELinux enabled system, login applications need to call selinux pam
> module during the opening of the session to correctly set the user's
> security context. In Debian the "login" service is already doing this,
> but desktop managers are not.
> I would propose to add the needed call to the pam_selinux module in DM
> pam services by default. This pam module is installed in the
> libpam-modules package, which is (I think) installed by default on
> every system.
Heh, yes, libpam-modules is a non-removable part of the system.
> The pam module needs to be called twice, please see the login pam
> service or my patch for gdm3. The module can be 'require'ed if we
> are sure it's installed on the system.
> Any input on this?
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661289
This is an obviously-correct change to make; we should have the same
handling in gdm and other DMs as we do in login.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/