- make proper use of pam_loginuid and pam_selinux in rshd and ftpd

2007-10-17 17:48:52 +00:00 · 2007-10-17 17:48:52 +00:00 · a0f391756d
commit a0f391756d
parent 345c67344c
4 changed files with 20 additions and 3 deletions
--- a/ekshell.pamd
+++ b/ekshell.pamd
@ -6,5 +6,10 @@ auth       required     pam_securetty.so
 auth       required     pam_env.so
 auth       required     pam_rhosts_auth.so
 account    include      system-auth
-session	   optional     pam_keyinit.so    force revoke
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    optional     pam_keyinit.so force revoke
 session    include      system-auth
+# pam_selinux.so open should only be called for sessions to be executed in the user context
+session    required     pam_loginuid.so
+session    required     pam_selinux.so open
--- a/gssftp.pamd
+++ b/gssftp.pamd
@ -4,6 +4,10 @@ auth    required pam_shells.so
 auth    include  system-auth
 account required pam_nologin.so
 account include  system-auth
+# pam_selinux.so close should be the first session rule
+session required pam_selinux.so close
 session optional pam_keyinit.so force revoke
 session include  system-auth
+# pam_selinux.so open should only be called for sessions to be executed in the user context
 session required pam_loginuid.so
+session required pam_selinux.so open
--- a/krb5.spec
+++ b/krb5.spec
@ -14,7 +14,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.2
-Release: 9%{?dist}
+Release: 10%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -210,6 +210,9 @@ installed on systems which are meant provide these services.
 %endif

 %changelog
+* Wed Oct 17 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-10
+- make proper use of pam_loginuid and pam_selinux in rshd and ftpd
+
 * Fri Oct 12 2007 Nalin Dahyabhai <nalin@redhat.com>
 - make krb5.conf %%verify(not md5 size mtime) in addition to
  %%config(noreplace), like /etc/nsswitch.conf (#329811)
--- a/kshell.pamd
+++ b/kshell.pamd
@ -6,5 +6,10 @@ auth       required     pam_securetty.so
 auth       required     pam_env.so
 auth       required     pam_rhosts_auth.so
 account    include      system-auth
-session	   optional     pam_keyinit.so    force revoke
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    optional     pam_keyinit.so force revoke
 session    include      system-auth
+# pam_selinux.so open should only be called for sessions to be executed in the user context
+session    required     pam_loginuid.so
+session    required     pam_selinux.so open