commit pam for openSUSE:Factory

26 Sep 2012

Hello community,

here is the log from the commit of package pam for openSUSE:Factory checked in at 2012-09-26 16:25:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam (Old)
 and      /work/SRC/openSUSE:Factory/.pam.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pam", Maintainer is "mc@suse.com"

Changes:
--------
--- /work/SRC/openSUSE:Factory/pam/pam.changes	2012-06-25 14:30:32.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes	2012-09-26 16:25:25.000000000 +0200
@@ -1,0 +2,14 @@
+Wed Sep 19 14:20:54 CEST 2012 - kukuk@suse.de
+
+- Fix building in Factory (add patch missing-DESTDIR.diff)
+
+-------------------------------------------------------------------
+Fri Sep 14 10:55:31 CEST 2012 - kukuk@suse.de
+
+- Update to Linux-PAM 1.1.6
+  - Update translations
+  - pam_cracklib: Add more checks for weak passwords
+  - pam_lastlog: Never lock out root
+  - Lot of bug fixes and smaller enhancements
+
+-------------------------------------------------------------------
@@ -4 +18 @@
-- Include correct headers for getrlimit.
+- Include correct headers for getrlimit (add patch pam-fix-includes.patch).

Old:
----
  Linux-PAM-1.1.5-docs.tar.bz2
  Linux-PAM-1.1.5.tar.bz2

New:
----
  Linux-PAM-1.1.6-docs.tar.bz2
  Linux-PAM-1.1.6.tar.bz2
  missing-DESTDIR.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.JK1ppq/_old	2012-09-26 16:25:28.000000000 +0200
+++ /var/tmp/diff_new_pack.JK1ppq/_new	2012-09-26 16:25:28.000000000 +0200
@@ -30,6 +30,8 @@
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
+BuildRequires:  autoconf
+BuildRequires:  automake
 %define libpam_so_version 0.83.1
 %define libpam_misc_so_version 0.82.0
 %define libpamc_so_version 0.82.1
@@ -38,7 +40,7 @@
 Obsoletes:      pam-64bit
 %endif
 #
-Version:        1.1.5
+Version:        1.1.6
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0+ or BSD-3-Clause
@@ -58,6 +60,7 @@
 Source9:        baselibs.conf
 Patch0:         pam_tally-deprecated.diff
 Patch1:         pam-fix-includes.patch
+Patch2:         missing-DESTDIR.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -107,9 +110,11 @@
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p0
-%patch1 -p1
+%patch1 -p0
+%patch2 -p1
 
 %build
+autoreconf
 export CFLAGS="%optflags -DNDEBUG"
 %configure \
 	--sbindir=/sbin \

++++++ Linux-PAM-1.1.5-docs.tar.bz2 -> Linux-PAM-1.1.6-docs.tar.bz2 ++++++
Files old/Linux-PAM-1.1.5/doc/adg/Linux-PAM_ADG.pdf and new/Linux-PAM-1.1.6/doc/adg/Linux-PAM_ADG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/adg/html/adg-interface-by-app-expected.html new/Linux-PAM-1.1.6/doc/adg/html/adg-interface-by-app-expected.html
--- old/Linux-PAM-1.1.5/doc/adg/html/adg-interface-by-app-expected.html	2011-06-21 13:11:30.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/adg/html/adg-interface-by-app-expected.html	2012-08-17 11:56:33.000000000 +0200
@@ -496,7 +496,7 @@
       authentication token for a given user (as indicated by the state
       associated with the handle <span class="emphasis"><em>pamh</em></span>).
     </p><p>
-      The <span class="emphasis"><em>pamh</em></span> argument is an authentication 
+      The <span class="emphasis"><em>pamh</em></span> argument is an authentication
       handle obtained by a prior call to pam_start().
       The flags argument is the binary or of zero or more of the
       following values:
Files old/Linux-PAM-1.1.5/doc/mwg/Linux-PAM_MWG.pdf and new/Linux-PAM-1.1.6/doc/mwg/Linux-PAM_MWG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/mwg/html/mwg-expected-by-module-item.html new/Linux-PAM-1.1.6/doc/mwg/html/mwg-expected-by-module-item.html
--- old/Linux-PAM-1.1.5/doc/mwg/html/mwg-expected-by-module-item.html	2011-06-21 13:12:25.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/mwg/html/mwg-expected-by-module-item.html	2012-08-17 11:56:38.000000000 +0200
@@ -11,7 +11,7 @@
         Essentially this is the <code class="filename">libpam.*</code> library.
       </p><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_set_data"></a>2.1.1. Set module internal data</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">int <b class="fsfunc">pam_set_data</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">module_data_name</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">data</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">(*cleanup)(pam_handle_t *pamh, void *data, int error_status)</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>const char *<var class="pdparam">module_data_name</var></code>;<br><code>void *<var class="pdparam">data</var></code>;<br><code>void <var class="pdparam">(*cleanup)(pam_handle_t *pamh, void *data, int error_status)</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_set_data-description"></a>2.1.1.1. DESCRIPTION</h4></div></div></div><p>
       The <code class="function">pam_set_data</code> function associates a pointer
-      to an object with the (hopefully) unique string 
+      to an object with the (hopefully) unique string
       <span class="emphasis"><em>module_data_name</em></span> in the PAM context specified
       by the <span class="emphasis"><em>pamh</em></span> argument.
     </p><p>
@@ -320,7 +320,7 @@
           </p></dd></dl></div></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_get_user"></a>2.1.5. Get user name</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">int <b class="fsfunc">pam_get_user</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">user</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">prompt</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>const pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>const char **<var class="pdparam">user</var></code>;<br><code>const char *<var class="pdparam">prompt</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_get_user-description"></a>2.1.5.1. DESCRIPTION</h4></div></div></div><p>
       The <code class="function">pam_get_user</code> function returns the
       name of the user specified by
-      <span class="citerefentry"><span class="refentrytitle">pam_start</span>(3)</span>. If no user was specified it what 
+      <span class="citerefentry"><span class="refentrytitle">pam_start</span>(3)</span>. If no user was specified it what
       <code class="function">pam_get_item (pamh, PAM_USER, ... );</code> would
       have returned. If this is NULL it obtains the username via the
       <span class="citerefentry"><span class="refentrytitle">pam_conv</span>(3)</span> mechanism, it prompts the user with the first
@@ -333,13 +333,13 @@
           The default prompt: "login: "
         </p></li></ul></div><p>
       By whatever means the username is obtained, a pointer to it is
-      returned as the contents of <span class="emphasis"><em>*user</em></span>. Note, 
-      this memory should <span class="emphasis"><em>not</em></span> be 
+      returned as the contents of <span class="emphasis"><em>*user</em></span>. Note,
+      this memory should <span class="emphasis"><em>not</em></span> be
       <span class="emphasis"><em>free()</em></span>'d or <span class="emphasis"><em>modified</em></span>
       by the module.
     </p><p>
       This function sets the <span class="emphasis"><em>PAM_USER</em></span> item
-      associated with the 
+      associated with the
       <span class="citerefentry"><span class="refentrytitle">pam_set_item</span>(3)</span> and
       <span class="citerefentry"><span class="refentrytitle">pam_get_item</span>(3)</span> functions.
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_get_user-return_values"></a>2.1.5.2. RETURN VALUES</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/mwg/html/mwg-expected-of-module-auth.html new/Linux-PAM-1.1.6/doc/mwg/html/mwg-expected-of-module-auth.html
--- old/Linux-PAM-1.1.5/doc/mwg/html/mwg-expected-of-module-auth.html	2011-06-21 13:12:26.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/mwg/html/mwg-expected-of-module-auth.html	2012-08-17 11:56:38.000000000 +0200
@@ -18,7 +18,7 @@
             Return <span class="emphasis"><em>PAM_AUTH_ERR</em></span> if the
             database of authentication tokens for this authentication
             mechanism has a <span class="emphasis"><em>NULL</em></span> entry for the user.
-            Without this flag, such a <span class="emphasis"><em>NULL</em></span> token 
+            Without this flag, such a <span class="emphasis"><em>NULL</em></span> token
             will lead to a success without the user being prompted.
           </p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_authenticate-return_values"></a>3.2.1.2. RETURN VALUES</h4></div></div></div><div class="variablelist"><dl><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
             Authentication failure.
@@ -27,7 +27,7 @@
             credentials to authenticate the user.
           </p></dd><dt><span class="term">PAM_AUTHINFO_UNAVAIL</span></dt><dd><p>
             The modules were not able to access the authentication
-            information. This might be due to a network or hardware 
+            information. This might be due to a network or hardware
             failure etc.
           </p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
              The authentication token was successfully updated.
Files old/Linux-PAM-1.1.5/doc/sag/Linux-PAM_SAG.pdf and new/Linux-PAM-1.1.6/doc/sag/Linux-PAM_SAG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/Linux-PAM_SAG.txt new/Linux-PAM-1.1.6/doc/sag/Linux-PAM_SAG.txt
--- old/Linux-PAM-1.1.5/doc/sag/Linux-PAM_SAG.txt	2011-10-25 14:18:01.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/Linux-PAM_SAG.txt	2012-08-17 11:56:20.000000000 +0200
@@ -835,20 +835,15 @@
 Similar
 
     Is the new password too much like the old one? This is primarily controlled
-    by one argument, difok which is a number of characters that if different
-    between the old and new are enough to accept the new password, this
-    defaults to 10 or 1/2 the size of the new password whichever is smaller.
-
-    To avoid the lockup associated with trying to change a long and complicated
-    password, difignore is available. This argument can be used to specify the
-    minimum length a new password needs to be before the difok value is
-    ignored. The default value for difignore is 23.
+    by one argument, difok which is a number of character changes (inserts,
+    removals, or replacements) between the old and new password that are enough
+    to accept the new password. This defaults to 5 changes.
 
 Simple
 
-    Is the new password too small? This is controlled by 5 arguments minlen,
-    dcredit, ucredit, lcredit, and ocredit. See the section on the arguments
-    for the details of how these work and there defaults.
+    Is the new password too small? This is controlled by 6 arguments minlen,
+    maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. See the section on
+    the arguments for the details of how these work and there defaults.
 
 Rotated
 
@@ -858,6 +853,10 @@
 
     Optional check for same consecutive characters.
 
+Too long monotonic character sequence
+
+    Optional check for too long monotonic character sequence.
+
 Contains user name
 
     Optional check whether the password contains the user's name in some form.
@@ -896,15 +895,8 @@
 
 difok=N
 
-    This argument will change the default of 5 for the number of characters in
-    the new password that must not be present in the old password. In addition,
-    if 1/2 of the characters in the new password are different then the new
-    password will be accepted anyway.
-
-difignore=N
-
-    How many characters should the password have before difok will be ignored.
-    The default is 23.
+    This argument will change the default of 5 for the number of character
+    changes in the new password that differentiate it from the old password.
 
 minlen=N
 
@@ -972,11 +964,37 @@
     Reject passwords which contain more than N same consecutive characters. The
     default is 0 which means that this check is disabled.
 
+maxsequence=N
+
+    Reject passwords which contain monotonic character sequences longer than N.
+    The default is 0 which means that this check is disabled. Examples of such
+    sequence are '12345' or 'fedcb'. Note that most such passwords will not
+    pass the simplicity check unless the sequence is only a minor part of the
+    password.
+
+maxclassrepeat=N
+
+    Reject passwords which contain more than N consecutive characters of the
+    same class. The default is 0 which means that this check is disabled.
+
 reject_username
 
     Check whether the name of the user in straight or reversed form is
     contained in the new password. If it is found the new password is rejected.
 
+gecoscheck
+
+    Check whether the words from the GECOS field (usualy full name of the user)
+    longer than 3 characters in straight or reversed form are contained in the
+    new password. If any such word is found the new password is rejected.
+
+enforce_for_root
+
+    The module will return error on failed check also if the user changing the
+    password is root. This option is off by default which means that just the
+    message about the failed check is printed but root can change the password
+    anyway.
+
 use_authtok
 
     This argument is used to force the module to not prompt the user for a new
@@ -2066,7 +2084,7 @@
 6.14. pam_lastlog - display date of last login
 
 pam_lastlog.so [ debug ] [ silent ] [ never ] [ nodate ] [ nohost ] [ noterm ]
-[ nowtmp ] [ noupdate ] [ showfailed ]
+[ nowtmp ] [ noupdate ] [ showfailed ] [ inactive=<days> ]
 
 6.14.1. DESCRIPTION
 
@@ -2076,6 +2094,10 @@
 Some applications may perform this function themselves. In such cases, this
 module is not necessary.
 
+If the module is called in the auth or account phase, the accounts that were
+not used recently enough will be disallowed to log in. The check is not
+performed for the root account so the root is never locked out.
+
 6.14.2. OPTIONS
 
 debug
@@ -2118,9 +2140,17 @@
     Display number of failed login attempts and the date of the last failed
     attempt from btmp. The date is not displayed when nodate is specified.
 
+inactive=<days>
+
+    This option is specific for the auth or account phase. It specifies the
+    number of days after the last login of the user when the user will be
+    locked out by the module. The default value is 90.
+
 6.14.3. MODULE TYPES PROVIDED
 
-Only the session module type is provided.
+The auth and account module type allows to lock out users which did not login
+recently enough. The session module type is provided for displaying the
+information about the last login and/or updating the lastlog and wtmp files.
 
 6.14.4. RETURN VALUES
 
@@ -2136,6 +2166,15 @@
 
     User not known.
 
+PAM_AUTH_ERR
+
+    User locked out in the auth or account phase due to inactivity.
+
+PAM_IGNORE
+
+    There was an error during reading the lastlog file in the auth or account
+    phase and thus inactivity of the user cannot be determined.
+
 6.14.5. EXAMPLES
 
 Add the following line to /etc/pam.d/login to display the last login time of an
@@ -2144,10 +2183,18 @@
     session  required  pam_lastlog.so nowtmp
 
 
+To reject the user if he did not login during the previous 50 days the
+following line can be used:
+
+    auth  required  pam_lastlog.so inactive=50
+
+
 6.14.6. AUTHOR
 
 pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
 
+Inactive account lock out added by Tomáš Mráz <tm@t8m.info>.
+
 6.15. pam_limits - limit resources
 
 pam_limits.so [ conf=/path/to/limits.conf ] [ debug ] [ set_all ] [ utmp_early
@@ -2173,6 +2220,11 @@
 
 6.15.2. DESCRIPTION
 
+The pam_limits.so module applies ulimit limits, nice priority and number of
+simultaneous login sessions limit to user login sessions. This description of
+the configuration file syntax applies to the /etc/security/limits.conf file and
+*.conf files in the /etc/security/limits.d directory.
+
 The syntax of the lines is as follows:
 
 <domain> <type> <item> <value>
@@ -2321,6 +2373,9 @@
 
 Also, please note that all limit settings are set per login. They are not
 global, nor are they permanent; existing only for the duration of the session.
+One exception is the maxlogin option, this one is system wide. But there is a
+race, concurrent logins at the same time will not always be detect as such but
+only counted as one.
 
 In the limits configuration file, the '#' character introduces a comment -
 after which the rest of the line is ignored.
@@ -2861,7 +2916,7 @@
 
 pam_namespace.so [ debug ] [ unmnt_remnt ] [ unmnt_only ] [ require_selinux ] [
 gen_hash ] [ ignore_config_error ] [ ignore_instance_parent_mode ] [
-no_unmount_on_close ] [ use_current_context ] [ use_default_context ] [
+unmount_on_close ] [ use_current_context ] [ use_default_context ] [
 mount_private ]
 
 6.22.1. DESCRIPTION
@@ -3011,12 +3066,14 @@
     will reduce security and isolation goals of the polyinstantiation
     mechanism.
 
-no_unmount_on_close
+unmount_on_close
 
-    For certain trusted programs such as newrole, open session is called from a
-    child process while the parent performs close session and pam end
-    functions. For these commands use this option to instruct pam_close_session
-    to not unmount the bind mounted polyinstantiated directory in the parent.
+    Explicitly unmount the polyinstantiated directories instead of relying on
+    automatic namespace destruction after the last process in a namespace
+    exits. This option should be used only in case it is ensured by other means
+    that there cannot be any processes running in the private namespace left
+    after the session close. It is also useful only in case there are multiple
+    pam session calls in sequence from the same process.
 
 use_current_context
 
@@ -3034,10 +3091,15 @@
 
     This option can be used on systems where the / mount point or its submounts
     are made shared (for example with a mount --make-rshared / command). The
-    module will make the polyinstantiated directory mount points private.
-    Normally the pam_namespace will try to detect the shared / mount point and
-    make the polyinstantiated directories private automatically. This option
-    has to be used just when only a subtree is shared and / is not.
+    module will mark the whole directory tree so any mount and unmount
+    operations in the polyinstantiation namespace are private. Normally the
+    pam_namespace will try to detect the shared / mount point and make the
+    polyinstantiated directories private automatically. This option has to be
+    used just when only a subtree is shared and / is not.
+
+    Note that mounts and unmounts done in the private namespace will not affect
+    the parent namespace if this option is used or when the shared / mount
+    point is autodetected.
 
 6.22.4. MODULE TYPES PROVIDED
 
@@ -3503,63 +3565,71 @@
 
 6.29. pam_selinux - set the default security context
 
-pam_selinux.so [ close ] [ debug ] [ open ] [ nottys ] [ verbose ] [
-select_context ] [ env_params ] [ use_current_range ]
+pam_selinux.so [ open ] [ close ] [ restore ] [ nottys ] [ debug ] [ verbose ]
+[ select_context ] [ env_params ] [ use_current_range ]
 
 6.29.1. DESCRIPTION
 
-In a nutshell, pam_selinux sets up the default security context for the next
-execed shell.
+pam_selinux is a PAM module that sets up the default SELinux security context
+for the next executed process.
 
-When an application opens a session using pam_selinux, the shell that gets
-executed will be run in the default security context, or if the user chooses
-and the pam file allows the selected security context. Also the controlling tty
-will have it's security context modified to match the users.
-
-Adding pam_selinux into a pam file could cause other pam modules to change
-their behavior if the exec another application. The close and open option help
-mitigate this problem. close option will only cause the close portion of the
-pam_selinux to execute, and open will only cause the open portion to run. You
-can add pam_selinux to the config file twice. Add the pam_selinux close as the
-executes the open pass through the modules, pam_selinux open_session will
-happen last. When PAM executes the close pass through the modules pam_selinux
-close_session will happen first.
+When a new session is started, the open_session part of the module computes and
+sets up the execution security context used for the next execve(2) call, the
+file security context for the controlling terminal, and the security context
+used for creating a new kernel keyring.
+
+When the session is ended, the close_session part of the module restores old
+security contexts that were in effect before the change made by the
+open_session part of the module.
+
+Adding pam_selinux into the PAM stack might disrupt behavior of other PAM
+modules which execute applications. To avoid that, pam_selinux.so open should
+be placed after such modules in the PAM stack, and pam_selinux.so close should
+be placed before them. When such a placement is not feasible, pam_selinux.so
+restore could be used to temporary restore original security contexts.
 
 6.29.2. OPTIONS
 
-close
+open
 
-    Only execute the close_session portion of the module.
+    Only execute the open_session part of the module.
 
-debug
+close
 
-    Turns on debugging via syslog(3).
+    Only execute the close_session part of the module.
 
-open
+restore
 
-    Only execute the open_session portion of the module.
+    In open_session part of the module, temporarily restore the security
+    contexts as they were before the previous call of the module. Another call
+    of this module without the restore option will set up the new security
+    contexts again.
 
 nottys
 
-    Do not try to setup the ttys security context.
+    Do not setup security context of the controlling terminal.
+
+debug
+
+    Turn on debug messages via syslog(3).
 
 verbose
 
-    attempt to inform the user when security context is set.
+    Attempt to inform the user when security context is set.
 
 select_context
 
-    Attempt to ask the user for a custom security context role. If MLS is on
+    Attempt to ask the user for a custom security context role. If MLS is on,
     ask also for sensitivity level.
 
 env_params
 
     Attempt to obtain a custom security context role from PAM environment. If
-    MLS is on obtain also sensitivity level. This option and the select_context
-    option are mutually exclusive. The respective PAM environment variables are
-    SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and
-    SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and
-    the last one if set to 1 makes the PAM module behave as if the
+    MLS is on, obtain also sensitivity level. This option and the
+    select_context option are mutually exclusive. The respective PAM
+    environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED,
+    and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing
+    and the last one if set to 1 makes the PAM module behave as if the
     use_current_range was specified on the command line of the module.
 
 use_current_range
@@ -3574,18 +3644,22 @@
 
 6.29.4. RETURN VALUES
 
-PAM_AUTH_ERR
-
-    Unable to get or set a valid context.
-
 PAM_SUCCESS
 
     The security context was set successfully.
 
+PAM_SESSION_ERR
+
+    Unable to get or set a valid context.
+
 PAM_USER_UNKNOWN
 
     The user is not known to the system.
 
+PAM_BUF_ERR
+
+    Memory allocation error.
+
 6.29.5. EXAMPLES
 
 auth     required  pam_unix.so
@@ -3646,8 +3720,9 @@
 6.31.1. DESCRIPTION
 
 pam_succeed_if.so is designed to succeed or fail authentication based on
-characteristics of the account belonging to the user being authenticated. One
-use is to select whether to load other modules based on this test.
+characteristics of the account belonging to the user being authenticated or
+values of other PAM items. One use is to select whether to load other modules
+based on this test.
 
 The module should be given one or more conditions as module arguments, and
 authentication will succeed only if all of the conditions are met.
@@ -3683,7 +3758,8 @@
 
 Conditions are three words: a field, a test, and a value to test for.
 
-Available fields are user, uid, gid, shell, home and service:
+Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service
+:
 
 field < number
 
@@ -4259,7 +4335,6 @@
 Games (configured to use PAM) are only to be accessed out of working hours.
 This rule does not apply to the user waster:
 
-
 games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
 
 
@@ -4340,7 +4415,7 @@
 
 6.35.8. AUTHOR
 
-pam_tally was written by Nalin Dahyabhai.
+pam_timestamp was written by Nalin Dahyabhai.
 
 6.36. pam_umask - set the file mode creation mask
 
@@ -4357,16 +4432,17 @@
 
   ● umask= argument
 
-  ● umask= entry of the users GECOS field
-
-  ● pri= entry of the users GECOS field
-
-  ● ulimit= entry of the users GECOS field
+  ● umask= entry in the user's GECOS field
 
   ● UMASK= entry from /etc/default/login
 
   ● UMASK entry from /etc/login.defs
 
+The GECOS field is split on comma ',' characters. The module also in addition
+to the umask= entry recognizes pri= entry, which sets the nice priority value
+for the session, and ulimit= entry, which sets the maximum size of files the
+processes in the session can create.
+
 6.36.2. OPTIONS
 
 debug
@@ -4519,7 +4595,8 @@
 
     The last n passwords for each user are saved in /etc/security/opasswd in
     order to force password change history and keep the user from alternating
-    between the same password too frequently.
+    between the same password too frequently. Instead of this option the
+    pam_pwhistory module should be used.
 
 shadow
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_cracklib.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_cracklib.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_cracklib.html	2011-10-25 14:18:51.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_cracklib.html	2012-08-17 11:56:26.000000000 +0200
@@ -25,19 +25,14 @@
           </p></dd><dt><span class="term">Similar</span></dt><dd><p>
             Is the new password too much like the old one?
             This is primarily controlled by one argument,
-            <code class="option">difok</code> which is a number of characters
-            that if different between the old and new are enough to accept
-            the new password, this defaults to 10 or 1/2 the size of the
-            new password whichever is smaller.
-          </p><p>
-            To avoid the lockup associated with trying to change a long and
-            complicated password, <code class="option">difignore</code> is available.
-            This argument can be used to specify the minimum length a new
-            password needs to be before the <code class="option">difok</code> value is
-            ignored. The default value for <code class="option">difignore</code> is 23.
+            <code class="option">difok</code> which is a number of character changes
+            (inserts, removals, or replacements) between the old and new
+            password that are enough to accept the new password.
+            This defaults to 5 changes.
           </p></dd><dt><span class="term">Simple</span></dt><dd><p>
              Is the new password too small?
-             This is controlled by 5 arguments <code class="option">minlen</code>,
+             This is controlled by 6 arguments <code class="option">minlen</code>,
+             <code class="option">maxclassrepeat</code>,
              <code class="option">dcredit</code>, <code class="option">ucredit</code>,
              <code class="option">lcredit</code>, and <code class="option">ocredit</code>. See the section
              on the arguments for the details of how these work and there defaults.
@@ -45,6 +40,8 @@
             Is the new password a rotated version of the old password?
           </p></dd><dt><span class="term">Same consecutive characters</span></dt><dd><p>
             Optional check for same consecutive characters.
+          </p></dd><dt><span class="term">Too long monotonic character sequence</span></dt><dd><p>
+            Optional check for too long monotonic character sequence.
           </p></dd><dt><span class="term">Contains user name</span></dt><dd><p>
             Optional check whether the password contains the user's name
             in some form.
@@ -88,17 +85,9 @@
             <code class="option">difok=<em class="replaceable"><code>N</code></em></code>
           </span></dt><dd><p>
               This argument will change the default of
-              <span class="emphasis"><em>5</em></span> for the number of characters in
-              the new password that must not be present in the old
-              password. In addition, if 1/2 of the characters in the
-              new password are different then the new password will
-              be accepted anyway.
-            </p></dd><dt><span class="term">
-            <code class="option">difignore=<em class="replaceable"><code>N</code></em></code>
-          </span></dt><dd><p>
-              How many characters should the password have before
-              difok will be ignored. The default is
-              <span class="emphasis"><em>23</em></span>.
+              <span class="emphasis"><em>5</em></span> for the number of character
+              changes in the new password that differentiate it
+              from the old password.
             </p></dd><dt><span class="term">
             <code class="option">minlen=<em class="replaceable"><code>N</code></em></code>
           </span></dt><dd><p>
@@ -189,12 +178,40 @@
               characters. The default is 0 which means that this check
               is disabled.
             </p></dd><dt><span class="term">
+            <code class="option">maxsequence=<em class="replaceable"><code>N</code></em></code>
+          </span></dt><dd><p>
+              Reject passwords which contain monotonic character sequences
+              longer than N. The default is 0 which means that this check
+              is disabled. Examples of such sequence are '12345' or 'fedcb'.
+              Note that most such passwords will not pass the simplicity
+              check unless the sequence is only a minor part of the password.
+            </p></dd><dt><span class="term">
+            <code class="option">maxclassrepeat=<em class="replaceable"><code>N</code></em></code>
+          </span></dt><dd><p>
+              Reject passwords which contain more than N consecutive
+              characters of the same class. The default is 0 which means
+              that this check is disabled.
+            </p></dd><dt><span class="term">
             <code class="option">reject_username</code>
           </span></dt><dd><p>
               Check whether the name of the user in straight or reversed
               form is contained in the new password. If it is found the
               new password is rejected.
             </p></dd><dt><span class="term">
+            <code class="option">gecoscheck</code>
+          </span></dt><dd><p>
+              Check whether the words from the GECOS field (usualy full name
+              of the user) longer than 3 characters in straight or reversed
+              form are contained in the new password. If any such word is
+              found the new password is rejected.
+            </p></dd><dt><span class="term">
+            <code class="option">enforce_for_root</code>
+          </span></dt><dd><p>
+              The module will return error on failed check also if the user
+              changing the password is root. This option is off by default
+              which means that just the message about the failed check is
+              printed but root can change the password anyway.
+            </p></dd><dt><span class="term">
             <code class="option">use_authtok</code>
           </span></dt><dd><p>
               This argument is used to <span class="emphasis"><em>force</em></span> the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_env.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_env.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_env.html	2011-10-25 14:18:53.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_env.html	2012-08-17 11:56:26.000000000 +0200
@@ -31,7 +31,7 @@
       to other modules, this module should be the last one on the stack.
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env.conf-description"></a>6.6.2. DESCRIPTION</h3></div></div></div><p>
       The <code class="filename">/etc/security/pam_env.conf</code> file specifies
-      the environment variables to be set, unset or modified by 
+      the environment variables to be set, unset or modified by
       <span class="citerefentry"><span class="refentrytitle">pam_env</span>(8)</span>.
       When someone logs in, this file is read and the environment
       variables are set according.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_exec.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_exec.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_exec.html	2011-10-25 14:18:53.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_exec.html	2012-08-17 11:56:26.000000000 +0200
@@ -48,14 +48,14 @@
             </p></dd><dt><span class="term">
             <code class="option">quiet</code>
           </span></dt><dd><p>
-  	      Per default pam_exec.so will echo the exit status of the
-     	      external command if it fails.
+              Per default pam_exec.so will echo the exit status of the
+              external command if it fails.
               Specifying this option will suppress the message.
             </p></dd><dt><span class="term">
             <code class="option">seteuid</code>
           </span></dt><dd><p>
-  	      Per default pam_exec.so will execute the external command
-     	      with the real user ID of the calling process.
+              Per default pam_exec.so will execute the external command
+              with the real user ID of the calling process.
               Specifying this option means the command is run
               with the effective user ID.
             </p></dd></dl></div><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_lastlog.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_lastlog.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_lastlog.html	2011-10-25 14:18:55.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_lastlog.html	2012-08-17 11:56:26.000000000 +0200
@@ -16,6 +16,8 @@
         noupdate
       ] [
         showfailed
+      ] [
+        inactive=<days>
       ]</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-description"></a>6.14.1. DESCRIPTION</h3></div></div></div><p>
       pam_lastlog is a PAM module to display a line of information
       about the last login of the user. In addition, the module maintains
@@ -23,6 +25,11 @@
     </p><p>
       Some applications may perform this function themselves. In such
       cases, this module is not necessary.
+    </p><p>
+      If the module is called in the auth or account phase, the accounts that
+      were not used recently enough will be disallowed to log in. The
+      check is not performed for the root account so the root is never
+      locked out.
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-options"></a>6.14.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">
           <code class="option">debug</code>
         </span></dt><dd><p>
@@ -67,8 +74,19 @@
             Display number of failed login attempts and the date of the
             last failed attempt from btmp. The date is not displayed
             when <code class="option">nodate</code> is specified.
+          </p></dd><dt><span class="term">
+          <code class="option">inactive=<days></code>
+        </span></dt><dd><p>
+            This option is specific for the auth or account phase. It
+            specifies the number of days after the last login of the user
+            when the user will be locked out by the module. The default
+            value is 90.
           </p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-types"></a>6.14.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
-      Only the <code class="option">session</code> module type is provided.
+      The <code class="option">auth</code> and <code class="option">account</code> module type
+      allows to lock out users which did not login recently enough.
+      The <code class="option">session</code> module type is provided for displaying
+      the information about the last login and/or updating the lastlog and
+      wtmp files.
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-return_values"></a>6.14.4. RETURN VALUES</h3></div></div></div><p>
       </p><div class="variablelist"><dl><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
               Everything was successful.
@@ -76,12 +94,26 @@
 	      Internal service module error.
             </p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
 	      User not known.
+            </p></dd><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
+	      User locked out in the auth or account phase due to
+	      inactivity.
+            </p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
+	      There was an error during reading the lastlog file
+	      in the auth or account phase and thus inactivity
+	      of the user cannot be determined.
             </p></dd></dl></div><p>
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-examples"></a>6.14.5. EXAMPLES</h3></div></div></div><p>
       Add the following line to <code class="filename">/etc/pam.d/login</code> to
       display the last login time of an user:
     </p><pre class="programlisting">
     session  required  pam_lastlog.so nowtmp
+      </pre><p>
+     To reject the user if he did not login during the previous 50 days
+     the following line can be used:
+    </p><pre class="programlisting">
+    auth  required  pam_lastlog.so inactive=50
       </pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-author"></a>6.14.6. AUTHOR</h3></div></div></div><p>
         pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
+      </p><p>
+        Inactive account lock out added by Tomáš Mráz <tm@t8m.info>.
       </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_keyinit.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_limits.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.13. pam_keyinit - display the keyinit file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.15. pam_limits - limit resources</td></tr></table></div></body></html>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_limits.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_limits.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_limits.html	2011-10-25 14:18:56.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_limits.html	2012-08-17 11:56:26.000000000 +0200
@@ -27,6 +27,13 @@
       when it denies access based on limit of maximum number of concurrent
       login sessions.
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-limits.conf-description"></a>6.15.2. DESCRIPTION</h3></div></div></div><p>
+      The <span class="emphasis"><em>pam_limits.so</em></span> module applies ulimit limits,
+      nice priority and number of simultaneous login sessions limit to user
+      login sessions. This description of the configuration file syntax
+      applies to the <code class="filename">/etc/security/limits.conf</code> file and
+      <code class="filename">*.conf</code> files in the
+      <code class="filename">/etc/security/limits.d</code> directory.
+    </p><p>
       The syntax of the lines is as follows:
     </p><p>
       <em class="replaceable"><code><domain></code></em> <em class="replaceable"><code><type></code></em>
@@ -107,6 +114,9 @@
       Also, please note that all limit settings are set
       <span class="emphasis"><em>per login</em></span>. They are not global, nor are they
       permanent; existing only for the duration of the session.
+      One exception is the <span class="emphasis"><em>maxlogin</em></span> option, this one
+      is system wide. But there is a race, concurrent logins at the same
+      time will not always be detect as such but only counted as one.
     </p><p>
       In the <span class="emphasis"><em>limits</em></span> configuration file, the
       '<span class="emphasis"><em>#</em></span>' character introduces a comment
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_namespace.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_namespace.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_namespace.html	2011-10-25 14:18:57.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_namespace.html	2012-08-17 11:56:27.000000000 +0200
@@ -13,7 +13,7 @@
       ] [
         ignore_instance_parent_mode
       ] [
-        no_unmount_on_close
+        unmount_on_close
       ] [
         use_current_context
       ] [
@@ -73,7 +73,7 @@
     </p><p>
       The second field, <em class="replaceable"><code>instance_prefix</code></em> is
       the string prefix used to build the pathname for the instantiation
-      of <polydir>. Depending on the polyinstantiation 
+      of <polydir>. Depending on the polyinstantiation
       <em class="replaceable"><code>method</code></em> it is then appended with
       "instance differentiation string" to generate the final
       instance directory path. This directory is created if it did not exist
@@ -85,7 +85,7 @@
     </p><p>
       The third field, <em class="replaceable"><code>method</code></em>, is the method
       used for polyinstantiation. It can take these values; "user"
-      for polyinstantiation based on user name, "level" for 
+      for polyinstantiation based on user name, "level" for
       polyinstantiation based on process MLS level and user name, "context" for
       polyinstantiation based on process security context and user name,
       "tmpfs" for mounting tmpfs filesystem as an instance dir, and
@@ -187,14 +187,15 @@
             should be used with caution as it will reduce security and
             isolation goals of the polyinstantiation mechanism.
           </p></dd><dt><span class="term">
-          <code class="option">no_unmount_on_close</code>
+          <code class="option">unmount_on_close</code>
         </span></dt><dd><p>
-           For certain trusted programs such as newrole, open session
-           is called from a child process while the parent performs
-           close session and pam end functions. For these commands
-           use this option to instruct pam_close_session to not
-           unmount the bind mounted polyinstantiated directory in the
-            parent.
+           Explicitly unmount the polyinstantiated directories instead
+           of relying on automatic namespace destruction after the last
+           process in a namespace exits. This option should be used
+           only in case it is ensured by other means that there cannot be
+           any processes running in the private namespace left after the
+           session close. It is also useful only in case there are
+           multiple pam session calls in sequence from the same process.
           </p></dd><dt><span class="term">
           <code class="option">use_current_context</code>
         </span></dt><dd><p>
@@ -215,11 +216,16 @@
 	    This option can be used on systems where the / mount point or
 	    its submounts are made shared (for example with a
 	    <span class="command"><strong>mount --make-rshared /</strong></span> command).
-	    The module will make the polyinstantiated directory mount points
-	    private. Normally the pam_namespace will try to detect the
+	    The module will mark the whole directory tree so any mount and
+	    unmount operations in the polyinstantiation namespace are private.
+	    Normally the pam_namespace will try to detect the
 	    shared / mount point and make the polyinstantiated directories
 	    private automatically. This option has to be used just when
 	    only a subtree is shared and / is not.
+          </p><p>
+	    Note that mounts and unmounts done in the private namespace will not
+	    affect the parent namespace if this option is used or when the
+	    shared / mount point is autodetected.
           </p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-types"></a>6.22.4. MODULE TYPES PROVIDED</h3></div></div></div><p>
       Only the <code class="option">session</code> module type is provided.
       The module must not be called from multithreaded processes.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_selinux.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_selinux.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_selinux.html	2011-10-25 14:18:59.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_selinux.html	2012-08-17 11:56:27.000000000 +0200
@@ -1,12 +1,14 @@
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.29. pam_selinux - set the default security context</title><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_securetty.html" title="6.28. pam_securetty - limit root login to special devices"><link rel="next" href="sag-pam_shells.html" title="6.30. pam_shells - check for valid login shell"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.29. pam_selinux - set the default security context</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_securetty.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_shells.html">Next</a></td></tr></table><hr></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_selinux"></a>6.29. pam_selinux - set the default security context</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_selinux.so</code>  [
-	close
+	open
       ] [
-	debug
+	close
       ] [
-	open
+	restore
       ] [
 	nottys
       ] [
+	debug
+      ] [
 	verbose
       ] [
 	select_context
@@ -15,59 +17,68 @@
       ] [
 	use_current_range
       ]</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-description"></a>6.29.1. DESCRIPTION</h3></div></div></div><p>
-      In a nutshell, pam_selinux sets up the default security context for the
-      next execed shell.
+      pam_selinux is a PAM module that sets up the default SELinux security
+      context for the next executed process.
     </p><p>
-      When an application opens a session using pam_selinux, the  shell  that
-      gets  executed  will  be run in the default security context, or if the
-      user chooses and the pam file allows  the  selected  security  context.
-      Also  the  controlling  tty will have it's security context modified to
-      match the users.
+      When a new session is started, the open_session part of the module
+      computes and sets up the execution security context used for the next
+      <span class="citerefentry"><span class="refentrytitle">execve</span>(2)</span>
+      call, the file security context for the controlling terminal, and
+      the security context used for creating a new kernel keyring.
     </p><p>
-      Adding pam_selinux into a pam file could cause  other  pam  modules  to
-      change  their  behavior if the exec another application.  The close and
-      open option help mitigate this problem.  close option will  only  cause
-      the  close  portion  of  the pam_selinux to execute, and open will only
-      cause the open portion to run.  You can add pam_selinux to  the  config
-      file  twice.   Add  the pam_selinux close as the executes the open pass
-      through the modules,  pam_selinux open_session will happen last.
-      When PAM executes the close pass through the modules pam_selinux
-      close_session will happen first.
+      When the session is ended, the close_session part of the module restores
+      old security contexts that were in effect before the change made
+      by the open_session part of the module.
+    </p><p>
+      Adding pam_selinux into the PAM stack might disrupt behavior of other
+      PAM modules which execute applications.  To avoid that,
+      <span class="emphasis"><em>pam_selinux.so open</em></span> should be placed after such
+      modules in the PAM stack, and <span class="emphasis"><em>pam_selinux.so close</em></span>
+      should be placed before them.  When such a placement is not feasible,
+      <span class="emphasis"><em>pam_selinux.so restore</em></span> could be used to temporary
+      restore original security contexts.
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-options"></a>6.29.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">
-          <code class="option">close</code>
+          <code class="option">open</code>
         </span></dt><dd><p>
-            Only execute the close_session portion of the module.
+            Only execute the open_session part of the module.
           </p></dd><dt><span class="term">
-          <code class="option">debug</code>
+          <code class="option">close</code>
         </span></dt><dd><p>
-           Turns on debugging via
-	    <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
+            Only execute the close_session part of the module.
           </p></dd><dt><span class="term">
-          <code class="option">open</code>
+          <code class="option">restore</code>
         </span></dt><dd><p>
-            Only execute the open_session portion of the module.
+            In open_session part of the module, temporarily restore the
+            security contexts as they were before the previous call of
+            the module.  Another call of this module without the restore
+            option will set up the new security contexts again.
           </p></dd><dt><span class="term">
           <code class="option">nottys</code>
         </span></dt><dd><p>
-            Do not try to setup the ttys security context.
+            Do not setup security context of the controlling terminal.
+          </p></dd><dt><span class="term">
+          <code class="option">debug</code>
+        </span></dt><dd><p>
+            Turn on debug messages via
+            <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
           </p></dd><dt><span class="term">
           <code class="option">verbose</code>
         </span></dt><dd><p>
-            attempt to inform the user when security context is set.
+            Attempt to inform the user when security context is set.
           </p></dd><dt><span class="term">
           <code class="option">select_context</code>
         </span></dt><dd><p>
             Attempt to ask the user for a custom security context role.
-            If MLS is on ask also for sensitivity level.
+            If MLS is on, ask also for sensitivity level.
           </p></dd><dt><span class="term">
           <code class="option">env_params</code>
         </span></dt><dd><p>
             Attempt to obtain a custom security context role from PAM environment.
-            If MLS is on obtain also sensitivity level. This option and the
-            select_context option are mutually exclusive. The respective PAM
+            If MLS is on, obtain also sensitivity level.  This option and the
+            select_context option are mutually exclusive.  The respective PAM
             environment variables are <span class="emphasis"><em>SELINUX_ROLE_REQUESTED</em></span>,
             <span class="emphasis"><em>SELINUX_LEVEL_REQUESTED</em></span>, and
-            <span class="emphasis"><em>SELINUX_USE_CURRENT_RANGE</em></span>. The first two variables
+            <span class="emphasis"><em>SELINUX_USE_CURRENT_RANGE</em></span>.  The first two variables
             are self describing and the last one if set to 1 makes the PAM module behave as
             if the use_current_range was specified on the command line of the module.
           </p></dd><dt><span class="term">
@@ -78,12 +89,14 @@
             sensitivity level from the user or obtaining it from PAM environment.
           </p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-types"></a>6.29.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
       Only the <code class="option">session</code> module type is provided.
-    </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-return_values"></a>6.29.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
-            Unable to get or set a valid context.
-          </p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
+    </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-return_values"></a>6.29.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
             The security context was set successfully.
+          </p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
+            Unable to get or set a valid context.
           </p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
             The user is not known to the system.
+          </p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
+            Memory allocation error.
           </p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-examples"></a>6.29.5. EXAMPLES</h3></div></div></div><pre class="programlisting">
 auth     required  pam_unix.so
 session  required  pam_permit.so
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_succeed_if.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_succeed_if.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_succeed_if.html	2011-10-25 14:18:59.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_succeed_if.html	2012-08-17 11:56:27.000000000 +0200
@@ -1,8 +1,8 @@
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.31. pam_succeed_if - test account characteristics</title><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_shells.html" title="6.30. pam_shells - check for valid login shell"><link rel="next" href="sag-pam_tally.html" title="6.32. pam_tally - login counter (tallying) module"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.31. pam_succeed_if - test account characteristics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_shells.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_tally.html">Next</a></td></tr></table><hr></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_succeed_if"></a>6.31. pam_succeed_if - test account characteristics</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_succeed_if.so</code>  [<em class="replaceable"><code>flag</code></em>...] [<em class="replaceable"><code>condition</code></em>...]</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_succeed_if-description"></a>6.31.1. DESCRIPTION</h3></div></div></div><p>
       pam_succeed_if.so is designed to succeed or fail authentication
       based on characteristics of the account belonging to the user being
-      authenticated. One use is to select whether to load other modules based
-      on this test.
+      authenticated or values of other PAM items. One use is to select whether
+      to load other modules based on this test.
     </p><p>
       The module should be given one or more conditions as module arguments,
       and authentication will succeed only if all of the conditions are met.
@@ -24,8 +24,9 @@
     </p><p>
       Available fields are <span class="emphasis"><em>user</em></span>,
       <span class="emphasis"><em>uid</em></span>, <span class="emphasis"><em>gid</em></span>,
-      <span class="emphasis"><em>shell</em></span>, <span class="emphasis"><em>home</em></span>
-      and <span class="emphasis"><em>service</em></span>:
+      <span class="emphasis"><em>shell</em></span>, <span class="emphasis"><em>home</em></span>,
+      <span class="emphasis"><em>ruser</em></span>, <span class="emphasis"><em>rhost</em></span>,
+      <span class="emphasis"><em>tty</em></span> and <span class="emphasis"><em>service</em></span>:
     </p><div class="variablelist"><dl><dt><span class="term"><code class="option">field < number</code></span></dt><dd><p>Field has a value numerically less than number.</p></dd><dt><span class="term"><code class="option">field <= number</code></span></dt><dd><p>
             Field has a value numerically less than or equal to number.
           </p></dd><dt><span class="term"><code class="option">field eq number</code></span></dt><dd><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_time.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_time.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_time.html	2011-10-25 14:19:00.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_time.html	2012-08-17 11:56:27.000000000 +0200
@@ -109,7 +109,7 @@
       Games (configured to use PAM) are only to be accessed out of
       working hours. This rule does not apply to the user
       <span class="emphasis"><em>waster</em></span>:
-      </p><pre class="programlisting"> 
+      </p><pre class="programlisting">
 games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
       </pre><p>
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_time-authors"></a>6.34.8. AUTHOR</h3></div></div></div><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_timestamp.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_timestamp.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_timestamp.html	2011-10-25 14:19:00.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_timestamp.html	2012-08-17 11:56:27.000000000 +0200
@@ -49,5 +49,5 @@
 session required pam_unix.so
 session optional pam_timestamp.so
     </pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-files"></a>6.35.7. FILES</h3></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="filename">/var/run/sudo/...</code></span></dt><dd><p>timestamp files and directories</p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-author"></a>6.35.8. AUTHOR</h3></div></div></div><p>
-        pam_tally was written by Nalin Dahyabhai.
+        pam_timestamp was written by Nalin Dahyabhai.
       </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_time.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_umask.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.34. pam_time - time controled access </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.36. pam_umask - set the file mode creation mask</td></tr></table></div></body></html>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_umask.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_umask.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_umask.html	2011-10-25 14:19:01.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_umask.html	2012-08-17 11:56:27.000000000 +0200
@@ -16,16 +16,18 @@
       </p><div class="itemizedlist"><ul type="disc"><li><p>
             umask= argument
           </p></li><li><p>
-            umask= entry of the users GECOS field
-          </p></li><li><p>
-            pri= entry of the users GECOS field
-          </p></li><li><p>
-            ulimit= entry of the users GECOS field
+            umask= entry in the user's GECOS field
           </p></li><li><p>
             UMASK= entry from /etc/default/login
           </p></li><li><p>
             UMASK entry from /etc/login.defs
           </p></li></ul></div><p>
+    </p><p>
+      The GECOS field is split on comma ',' characters. The module
+      also in addition to the umask= entry recognizes pri= entry,
+      which sets the nice priority value for the session, and
+      ulimit= entry, which sets the maximum size of files the processes
+      in the session can create.
     </p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_umask-options"></a>6.36.2. OPTIONS</h3></div></div></div><p>
       </p><div class="variablelist"><dl><dt><span class="term">
             <code class="option">debug</code>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_unix.html new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_unix.html
--- old/Linux-PAM-1.1.5/doc/sag/html/sag-pam_unix.html	2011-10-25 14:19:01.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/sag/html/sag-pam_unix.html	2012-08-17 11:56:27.000000000 +0200
@@ -107,6 +107,8 @@
             user are saved in <code class="filename">/etc/security/opasswd</code>
             in order to force password change history and keep the user
             from alternating between the same password too frequently.
+            Instead of this option the <span class="command"><strong>pam_pwhistory</strong></span>
+            module should be used.
           </p></dd><dt><span class="term">
           <code class="option">shadow</code>
         </span></dt><dd><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/specs/draft-morgan-pam-current.txt new/Linux-PAM-1.1.6/doc/specs/draft-morgan-pam-current.txt
--- old/Linux-PAM-1.1.5/doc/specs/draft-morgan-pam-current.txt	2011-10-25 14:16:50.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/specs/draft-morgan-pam-current.txt	2012-08-17 11:56:13.000000000 +0200
@@ -227,7 +227,7 @@
     your agent has as an identifier, they you are entitled to use
     this identifier.) It is up to each domain how it manages its local
     namespace.
-   
+
   The '/' character is a mandatory delimiter, indicating the end of the
   agent_id. The trailing data is of a format specific to the agent with
   the given agent_id.
@@ -377,7 +377,7 @@
   requests and exchanges them with the client. Every message sent by a
   module should be acknowledged.
 
-  General conversation functions can support the following five 
+  General conversation functions can support the following five
   conversation requests:
 
      echo text string
@@ -617,7 +617,7 @@
 
   The return value for this function is one of the following:
 
-    	PAM_BPC_TRUE	- all invoked agents are content with
+  	PAM_BPC_TRUE	- all invoked agents are content with
   			  authentication (the server is _not_ judged
   			  _un_trustworthy by any agent)
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.5/doc/specs/rfc86.0.txt new/Linux-PAM-1.1.6/doc/specs/rfc86.0.txt
--- old/Linux-PAM-1.1.5/doc/specs/rfc86.0.txt	2011-06-21 11:04:56.000000000 +0200
+++ new/Linux-PAM-1.1.6/doc/specs/rfc86.0.txt	2012-08-15 13:08:43.000000000 +0200
@@ -1843,9 +1843,3 @@
 
 
    Samar, Schemers                                                  Page 28
-
-
-
-
-
-

++++++ Linux-PAM-1.1.5-docs.tar.bz2 -> Linux-PAM-1.1.6.tar.bz2 ++++++
++++ 261185 lines of diff (skipped)

++++++ missing-DESTDIR.diff ++++++
From d7e6b921cd34f7ad8fc4d05065c75d13ba330896 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 17 Aug 2012 12:46:40 +0000
Subject: Add missing $(DESTDIR) when making directories on install.

modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
$(namespaceddir) on install.
modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
$(sepermitlockdir) on install.
---

diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am
index a28f196..ebb00f3 100644
--- a/modules/pam_namespace/Makefile.am
+++ b/modules/pam_namespace/Makefile.am
@@ -40,7 +40,7 @@ if HAVE_UNSHARE
   secureconf_SCRIPTS = namespace.init
 
 install-data-local:
-	mkdir -p $(namespaceddir)
+	mkdir -p $(DESTDIR)$(namespaceddir)
 endif
 
 
diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am
index cfc5594..bc82275 100644
--- a/modules/pam_sepermit/Makefile.am
+++ b/modules/pam_sepermit/Makefile.am
@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX
   securelib_LTLIBRARIES = pam_sepermit.la
 
 install-data-local:
-	mkdir -p $(sepermitlockdir)
+	mkdir -p $(DESTDIR)$(sepermitlockdir)
 endif
 if ENABLE_REGENERATE_MAN
 noinst_DATA = README pam_sepermit.8 sepermit.conf.5
--
cgit v0.9.0.2
++++++ pam-fix-includes.patch ++++++
--- /var/tmp/diff_new_pack.JK1ppq/_old	2012-09-26 16:25:28.000000000 +0200
+++ /var/tmp/diff_new_pack.JK1ppq/_new	2012-09-26 16:25:28.000000000 +0200
@@ -1,20 +1,5 @@
-Index: Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c
-===================================================================
---- Linux-PAM-1.1.5.orig/modules/pam_unix/pam_unix_acct.c
-+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c
-@@ -47,6 +47,8 @@
- #include <time.h>		/* for time() */
- #include <errno.h>
- #include <sys/wait.h>
-+#include <sys/time.h>
-+#include <sys/resource.h>
- 
- #include <security/_pam_macros.h>
- 
-Index: Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c
-===================================================================
---- Linux-PAM-1.1.5.orig/modules/pam_unix/pam_unix_passwd.c
-+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c
+--- modules/pam_unix/pam_unix_passwd.c
++++ modules/pam_unix/pam_unix_passwd.c
 @@ -54,6 +54,7 @@
  #include <ctype.h>
  #include <sys/time.h>

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

root＠hilbert.suse.de

tags

participants (1)