From b6e18c553fbbdc087b806a5839a516dfba0054a8 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 22 May 2013 02:08:11 +0100
Subject: Bracket our session stack with calls to pam_selinux close/open
 (thanks, Laurent Bigonville; closes: #679458).

---
 debian/changelog               |  2 ++
 debian/openssh-server.sshd.pam | 13 ++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 394096d41..27290431d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,6 +36,8 @@ openssh (1:6.2p2-2) UNRELEASED; urgency=low
   * This removes the last of our uses of debconf (closes: #221531).
   * Use the pam_loginuid session module (thanks, Laurent Bigonville; closes:
     #677440, LP: #1067779).
+  * Bracket our session stack with calls to pam_selinux close/open (thanks,
+    Laurent Bigonville; closes: #679458).
 
  -- Colin Watson <cjwatson@debian.org>  Tue, 21 May 2013 17:49:35 +0100
 
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam
index e61d67777..5f7ab2f60 100644
--- a/debian/openssh-server.sshd.pam
+++ b/debian/openssh-server.sshd.pam
@@ -13,6 +13,11 @@ account    required     pam_nologin.so
 # Standard Un*x authorization.
 @include common-account
 
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
 # Set the loginuid process attribute.
 session    required     pam_loginuid.so
 
@@ -31,9 +36,6 @@ session    optional     pam_mail.so standard noenv # [1]
 # Set up user limits from /etc/security/limits.conf.
 session    required     pam_limits.so
 
-# Set up SELinux capabilities (need modified pam)
-# session  required     pam_selinux.so multiple
-
 # Read environment variables from /etc/environment and
 # /etc/security/pam_env.conf.
 session    required     pam_env.so # [1]
@@ -41,5 +43,10 @@ session    required     pam_env.so # [1]
 # /etc/default/locale, so read that as well.
 session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
 
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
 # Standard Un*x password updating.
 @include common-password
-- 
cgit v1.2.3