http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c0 Summary: pam_selinux.so missing in /etc/pam.d/{login,gdm,xdm,sshd} in order for the correct login type/role Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: justinmattock@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2b1) Gecko/20091114 Firefox/3.6b1 in order for an SELinux user to login to a correct type/role example:staff_t:staff_r:staff_r. /etc/pam.d/{login,xdm,gdm,(optional)sshd} need to have the entries pam_selinux.so open/close in them in order to have libpam properly do its thing. Reproducible: Always Steps to Reproduce: if using a binary policy one can check the login results by semanage login -l there one can choose which one they want(roles etc..) example: semanage login -a -s staff_u pebenito after logging in/out the user should be in there role which they chose: example: staff_u:staff_r:staff_t Actual Results: below are the three files login, gdm, and xdm which gets me into the proper role upon login: /etc/pam.d/* cat login #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open session required pam_lastlog.so nowtmp session optional pam_mail.so standard session optional pam_ck_connector.so cat gdm #%PAM-1.0 auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open cat xdm #%PAM-1.0 auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open as for sshd I have not added pam_selinux.so to that yet. if building the source with selinux support enabled the package does supply the correct selinux/pam modules. (pam_selinux.so) Expected Results: users should be able to login under the correct type/role. either sysadm_r,staff_r,user_r,unconfined_r etc... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.