[Pkg-xfce-commits] r6495 - goodies/trunk/lightdm/debian
Yves-Alexis Perez
corsac at alioth.debian.org
Thu Mar 22 09:44:42 UTC 2012
Author: corsac
Date: 2012-03-22 21:44:41 +0000 (Thu, 22 Mar 2012)
New Revision: 6495
Modified:
goodies/trunk/lightdm/debian/lightdm.pam
Log:
update pam file for selinux
Modified: goodies/trunk/lightdm/debian/lightdm.pam
===================================================================
--- goodies/trunk/lightdm/debian/lightdm.pam 2012-03-22 21:44:08 UTC (rev 6494)
+++ goodies/trunk/lightdm/debian/lightdm.pam 2012-03-22 21:44:41 UTC (rev 6495)
@@ -6,9 +6,19 @@
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
-session required pam_selinux.so close
@include common-session
-session required pam_selinux.so open
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
session optional pam_gnome_keyring.so auto_start
@include common-password
More information about the Pkg-xfce-commits
mailing list