Bug#387480: [Pkg-shadow-devel] Bug#387480: Please add commented pam_selinux line.

Christian Perrier bubulle at debian.org
Fri Sep 15 05:16:58 UTC 2006


Quoting Christian Perrier (bubulle at debian.org):
> Quoting Christian Perrier (bubulle at debian.org):
> > > Is there a recommended position to add this line? (e.g. shall we put it
> > > before or after including common-session?)
> > > 
> > > Also, wouldn't it be better to add this line to common-session?
> > 
> > 
> > I've just asked for Manoj's input about this on IRC....
> > 
> > 
> 
> 
> Manoj comments:
> 
> 20:18 < bubulle> Manoj: if you have a minute, could you please comment on #387480?
> 20:29 < Manoj> bubulle: Indeed, the SELinux HOW that I'm starting has the recommendation to add
> 20:29 < Manoj> session required pam_selinux.so multiple
> 20:29 < Manoj> in both /etc/pam.d/ssh and /etc/pam.d/login
> 20:30 < Manoj> having the line present, perhaps with a comment "# Uncomment the following to enable SELinux
>                (provides proper security context)
> 

After another thread in -boot, this request is obviously coordinated
by SELinux wizards, so we will very likely add this in the provided
PAM config file.

The last question asked by Nicolas remains: *where* exactly do you
suggest we add this line in the following:

(with a side question-->shouldn't this go in the common-session file)

#
# The PAM configuration file for the Shadow `login' service
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20060915/9fe7a93c/attachment.pgp


More information about the Pkg-shadow-devel mailing list