diff options
author | Colin Watson <cjwatson@debian.org> | 2013-05-22 02:08:11 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-05-22 02:08:11 +0100 |
commit | b6e18c553fbbdc087b806a5839a516dfba0054a8 (patch) | |
tree | e605cc08b86ab873cef84d178ac945c066401a43 | |
parent | c961c7505700c1bb963909adcf994941045c2dac (diff) |
Bracket our session stack with calls to pam_selinux close/open (thanks,
Laurent Bigonville; closes: #679458).
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/openssh-server.sshd.pam | 13 |
2 files changed, 12 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 394096d41..27290431d 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -36,6 +36,8 @@ openssh (1:6.2p2-2) UNRELEASED; urgency=low | |||
36 | * This removes the last of our uses of debconf (closes: #221531). | 36 | * This removes the last of our uses of debconf (closes: #221531). |
37 | * Use the pam_loginuid session module (thanks, Laurent Bigonville; closes: | 37 | * Use the pam_loginuid session module (thanks, Laurent Bigonville; closes: |
38 | #677440, LP: #1067779). | 38 | #677440, LP: #1067779). |
39 | * Bracket our session stack with calls to pam_selinux close/open (thanks, | ||
40 | Laurent Bigonville; closes: #679458). | ||
39 | 41 | ||
40 | -- Colin Watson <cjwatson@debian.org> Tue, 21 May 2013 17:49:35 +0100 | 42 | -- Colin Watson <cjwatson@debian.org> Tue, 21 May 2013 17:49:35 +0100 |
41 | 43 | ||
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam index e61d67777..5f7ab2f60 100644 --- a/debian/openssh-server.sshd.pam +++ b/debian/openssh-server.sshd.pam | |||
@@ -13,6 +13,11 @@ account required pam_nologin.so | |||
13 | # Standard Un*x authorization. | 13 | # Standard Un*x authorization. |
14 | @include common-account | 14 | @include common-account |
15 | 15 | ||
16 | # SELinux needs to be the first session rule. This ensures that any | ||
17 | # lingering context has been cleared. Without this it is possible that a | ||
18 | # module could execute code in the wrong domain. | ||
19 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
20 | |||
16 | # Set the loginuid process attribute. | 21 | # Set the loginuid process attribute. |
17 | session required pam_loginuid.so | 22 | session required pam_loginuid.so |
18 | 23 | ||
@@ -31,9 +36,6 @@ session optional pam_mail.so standard noenv # [1] | |||
31 | # Set up user limits from /etc/security/limits.conf. | 36 | # Set up user limits from /etc/security/limits.conf. |
32 | session required pam_limits.so | 37 | session required pam_limits.so |
33 | 38 | ||
34 | # Set up SELinux capabilities (need modified pam) | ||
35 | # session required pam_selinux.so multiple | ||
36 | |||
37 | # Read environment variables from /etc/environment and | 39 | # Read environment variables from /etc/environment and |
38 | # /etc/security/pam_env.conf. | 40 | # /etc/security/pam_env.conf. |
39 | session required pam_env.so # [1] | 41 | session required pam_env.so # [1] |
@@ -41,5 +43,10 @@ session required pam_env.so # [1] | |||
41 | # /etc/default/locale, so read that as well. | 43 | # /etc/default/locale, so read that as well. |
42 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale | 44 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale |
43 | 45 | ||
46 | # SELinux needs to intervene at login time to ensure that the process starts | ||
47 | # in the proper default security context. Only sessions which are intended | ||
48 | # to run in the user's context should be run after this. | ||
49 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | ||
50 | |||
44 | # Standard Un*x password updating. | 51 | # Standard Un*x password updating. |
45 | @include common-password | 52 | @include common-password |