Package: openssh-server Version: 1:6.0p1-2 Severity: wishlist Tags: patch Hi,
Could you please add the call to pam_selinux in the sshd pam service. This patch requires #677440 patch to be applied first. Cheers Laurent Bigonville -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.4-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru openssh-6.0p1/debian/openssh-server.sshd.pam openssh-6.0p1/debian/openssh-server.sshd.pam --- openssh-6.0p1/debian/openssh-server.sshd.pam 2012-06-28 22:09:31.000000000 +0200 +++ openssh-6.0p1/debian/openssh-server.sshd.pam 2012-06-28 22:20:39.000000000 +0200 @@ -20,6 +20,11 @@ # Standard Un*x authorization. @include common-account +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. @@ -38,8 +43,10 @@ # Standard Un*x session setup and teardown. @include common-session -# Set up SELinux capabilities (need modified pam) -# session required pam_selinux.so multiple +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password
