Mailinglist Archive: opensuse-bugs (4690 mails)

< Previous Next >
[Bug 582366] New: pam_selinux.so missing in /etc/pam.d/{login,gdm,xdm,sshd} in order for the correct login type/role
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Tue, 23 Feb 2010 19:40:28 +0000
  • Message-id: <bug-582366-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>
http://bugzilla.novell.com/show_bug.cgi?id=582366

http://bugzilla.novell.com/show_bug.cgi?id=582366#c0


Summary: pam_selinux.so missing in
/etc/pam.d/{login,gdm,xdm,sshd} in order for the
correct login type/role
Classification: openSUSE
Product: openSUSE 11.2
Version: Final
Platform: All
OS/Version: openSUSE 11.2
Status: NEW
Severity: Major
Priority: P5 - None
Component: Security
AssignedTo: security-team@xxxxxxx
ReportedBy: justinmattock@xxxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2b1)
Gecko/20091114 Firefox/3.6b1

in order for an SELinux user to login to a correct type/role
example:staff_t:staff_r:staff_r.
/etc/pam.d/{login,xdm,gdm,(optional)sshd}
need to have the entries pam_selinux.so open/close in them in order
to have libpam properly do its thing.

Reproducible: Always

Steps to Reproduce:
if using a binary policy one can check
the login results by semanage login -l
there one can choose which one they want(roles etc..)
example:
semanage login -a -s staff_u pebenito
after logging in/out the user should be in there role which they chose:
example: staff_u:staff_r:staff_t
Actual Results:
below are the three files login, gdm, and xdm which gets me into the proper
role upon login:


/etc/pam.d/*
cat login
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_selinux.so close
session required pam_loginuid.so
session include common-session
session required pam_selinux.so open
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
session optional pam_ck_connector.so

cat gdm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_selinux.so close
session required pam_loginuid.so
session include common-session
session required pam_selinux.so open


cat xdm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_selinux.so close
session required pam_loginuid.so
session include common-session
session required pam_selinux.so open

as for sshd I have not added pam_selinux.so to that yet.
if building the source with selinux support enabled the package does supply the
correct selinux/pam modules.
(pam_selinux.so)


Expected Results:
users should be able to login under the correct type/role. either
sysadm_r,staff_r,user_r,unconfined_r etc...

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >