diff options
| author | Colin Watson <cjwatson@debian.org> | 2013-05-22 02:08:11 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2013-05-22 02:08:11 +0100 |
| commit | b6e18c553fbbdc087b806a5839a516dfba0054a8 (patch) | |
| tree | e605cc08b86ab873cef84d178ac945c066401a43 /debian/openssh-server.sshd.pam | |
| parent | c961c7505700c1bb963909adcf994941045c2dac (diff) | |
Bracket our session stack with calls to pam_selinux close/open (thanks,
Laurent Bigonville; closes: #679458).
Diffstat (limited to 'debian/openssh-server.sshd.pam')
| -rw-r--r-- | debian/openssh-server.sshd.pam | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam index e61d67777..5f7ab2f60 100644 --- a/debian/openssh-server.sshd.pam +++ b/debian/openssh-server.sshd.pam | |||
| @@ -13,6 +13,11 @@ account required pam_nologin.so | |||
| 13 | # Standard Un*x authorization. | 13 | # Standard Un*x authorization. |
| 14 | @include common-account | 14 | @include common-account |
| 15 | 15 | ||
| 16 | # SELinux needs to be the first session rule. This ensures that any | ||
| 17 | # lingering context has been cleared. Without this it is possible that a | ||
| 18 | # module could execute code in the wrong domain. | ||
| 19 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
| 20 | |||
| 16 | # Set the loginuid process attribute. | 21 | # Set the loginuid process attribute. |
| 17 | session required pam_loginuid.so | 22 | session required pam_loginuid.so |
| 18 | 23 | ||
| @@ -31,9 +36,6 @@ session optional pam_mail.so standard noenv # [1] | |||
| 31 | # Set up user limits from /etc/security/limits.conf. | 36 | # Set up user limits from /etc/security/limits.conf. |
| 32 | session required pam_limits.so | 37 | session required pam_limits.so |
| 33 | 38 | ||
| 34 | # Set up SELinux capabilities (need modified pam) | ||
| 35 | # session required pam_selinux.so multiple | ||
| 36 | |||
| 37 | # Read environment variables from /etc/environment and | 39 | # Read environment variables from /etc/environment and |
| 38 | # /etc/security/pam_env.conf. | 40 | # /etc/security/pam_env.conf. |
| 39 | session required pam_env.so # [1] | 41 | session required pam_env.so # [1] |
| @@ -41,5 +43,10 @@ session required pam_env.so # [1] | |||
| 41 | # /etc/default/locale, so read that as well. | 43 | # /etc/default/locale, so read that as well. |
| 42 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale | 44 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale |
| 43 | 45 | ||
| 46 | # SELinux needs to intervene at login time to ensure that the process starts | ||
| 47 | # in the proper default security context. Only sessions which are intended | ||
| 48 | # to run in the user's context should be run after this. | ||
| 49 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | ||
| 50 | |||
| 44 | # Standard Un*x password updating. | 51 | # Standard Un*x password updating. |
| 45 | @include common-password | 52 | @include common-password |