diff options
author | Laurent Bigonville <bigon@bigon.be> | 2014-05-08 08:46:37 +0200 |
---|---|---|
committer | Christian Perrier <bubulle@debian.org> | 2014-05-08 08:46:37 +0200 |
commit | a154eb540139bbf21590cbd0e567e2e49b5cf884 (patch) | |
tree | 2fdde964cce26d9a1748968225c948fb4c7375c6 /debian/login.pam | |
parent | 4a2fadfa215ae12a7d455866950afd96bb1710ad (diff) | |
download | shadow-a154eb540139bbf21590cbd0e567e2e49b5cf884.tar.gz |
Move pam_selinux open call higher in the session stack
Diffstat (limited to 'debian/login.pam')
-rw-r--r-- | debian/login.pam | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/debian/login.pam b/debian/login.pam index 354e62b4..dccad1f2 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -35,13 +35,23 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +# Sets the loginuid process attribute +session required pam_loginuid.so + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) + # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. @@ -95,17 +105,7 @@ session optional pam_motd.so # See comments in /etc/login.defs session optional pam_mail.so standard -# Sets the loginuid process attribute -session required pam_loginuid.so - # Standard Un*x account and session @include common-account @include common-session @include common-password - -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) |