Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2026-03-12 22:20:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam" Thu Mar 12 22:20:20 2026 rev:152 rq:1337951 version:1.7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2026-01-26 10:42:25.032001721 +0100 +++ /work/SRC/openSUSE:Factory/.pam.new.8177/pam.changes 2026-03-12 22:20:21.593508143 +0100 @@ -1,0 +2,6 @@ +Tue Mar 10 11:03:35 UTC 2026 - Thorsten Kukuk <[email protected]> + +- pam_unix-selinux.patch: always call unix_update if SELinux is + enabled [bsc#1243242], [bsc#1259119] + +------------------------------------------------------------------- New: ---- pam_unix-selinux.patch ----------(New B)---------- New: - pam_unix-selinux.patch: always call unix_update if SELinux is enabled [bsc#1243242], [bsc#1259119] ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.t81kg2/_old 2026-03-12 22:20:22.769557219 +0100 +++ /var/tmp/diff_new_pack.t81kg2/_new 2026-03-12 22:20:22.769557219 +0100 @@ -92,6 +92,7 @@ Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch +Patch2: pam_unix-selinux.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex ++++++ pam_unix-selinux.patch ++++++ >From 0183cf9eee82d11c312f02dfc862f607f3cdcf99 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <[email protected]> Date: Thu, 5 Mar 2026 17:15:08 +0100 Subject: [PATCH] pam_unix: always call unix_update if SELinux is enabled unix_selinux_confined() checks if an application can read /etc/shadow and assumes, that in this case, it can also write to it and create all necessary (temporary) files. This might be the case with the SELinux policy 18 years ago, but today the policies are more fine graned and some applications might have read access to /etc/shadow, but are not allowed to create files. Thus we should always use unix_update if SELinux is enabled to be on the safe side. See https://bugzilla.suse.com/show_bug.cgi?id=1243242 --- modules/pam_unix/passverify.c | 40 ++++------------------------------- 1 file changed, 4 insertions(+), 36 deletions(-) diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 8e0deb080..916cb9f53 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -540,42 +540,10 @@ PAMH_ARG_DECL(char * create_password_hash, int unix_selinux_confined(void) { - static int confined = -1; - int fd; - char tempfile[]="/etc/.pwdXXXXXX"; - - if (confined != -1) - return confined; - - /* cannot be confined without SELinux enabled */ - if (!SELINUX_ENABLED){ - confined = 0; - return confined; - } - - /* let's try opening shadow read only */ - if ((fd=open("/etc/shadow", O_RDONLY | O_CLOEXEC)) != -1) { - close(fd); - confined = 0; - return confined; - } - - if (errno == EACCES) { - confined = 1; - return confined; - } - - /* shadow opening failed because of other reasons let's try - creating a file in /etc */ - if ((fd=mkstemp(tempfile)) != -1) { - unlink(tempfile); - close(fd); - confined = 0; - return confined; - } - - confined = 1; - return confined; + if (is_selinux_enabled() > 0 && + security_getenforce() > 0) + return 1; + return 0; } #else
