All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] shadow: remove selinux entry from pam.d/login
@ 2011-05-31 18:33 Koen Kooi
  2011-06-01  9:23 ` Koen Kooi
  2011-06-03  0:21 ` Saul Wold
  0 siblings, 2 replies; 4+ messages in thread
From: Koen Kooi @ 2011-05-31 18:33 UTC (permalink / raw)
  To: openembedded-core; +Cc: Koen Kooi

SElinux has been disabled in the recipe, leading to messages like this:

[  167.643218] login[312]: PAM unable to dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
[  167.670837] login[312]: PAM adding faulty module: /lib/security/pam_selinux.so

Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
---
 meta/recipes-extended/shadow/files/pam.d/login |    7 -------
 meta/recipes-extended/shadow/shadow.inc        |    2 ++
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login
index e41eb04..e4dacc2 100644
--- a/meta/recipes-extended/shadow/files/pam.d/login
+++ b/meta/recipes-extended/shadow/files/pam.d/login
@@ -26,13 +26,6 @@ auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_secur
 # (Replaces the `NOLOGINS_FILE' option from login.defs)
 auth       requisite  pam_nologin.so
 
-# SELinux needs to be the first session rule. This ensures that any 
-# lingering context has been cleared. Without out this it is possible 
-# that a module could execute code in the wrong domain.
-# When the module is present, "required" would be sufficient (When SELinux
-# is disabled, this returns success.)
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
-
 # This module parses environment configuration file(s)
 # and also allows you to use an extended config
 # file /etc/security/pam_env.conf.
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 42f92a7..35bd6a8 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -6,6 +6,8 @@ LICENSE = "BSD | Artistic"
 LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \
                     file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe"
 
+PR = "r1"
+
 PAM_PLUGINS = "  libpam-runtime \
                  pam-plugin-faildelay \
                  pam-plugin-securetty \
-- 
1.6.6.1




^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] shadow: remove selinux entry from pam.d/login
  2011-05-31 18:33 [PATCH] shadow: remove selinux entry from pam.d/login Koen Kooi
@ 2011-06-01  9:23 ` Koen Kooi
  2011-06-01 17:35   ` Scott Garman
  2011-06-03  0:21 ` Saul Wold
  1 sibling, 1 reply; 4+ messages in thread
From: Koen Kooi @ 2011-06-01  9:23 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer

This one is orthogonal to the other shadow patches by the looks of it.

Op 31 mei 2011, om 20:33 heeft Koen Kooi het volgende geschreven:

> SElinux has been disabled in the recipe, leading to messages like this:
> 
> [  167.643218] login[312]: PAM unable to dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
> [  167.670837] login[312]: PAM adding faulty module: /lib/security/pam_selinux.so
> 
> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> ---
> meta/recipes-extended/shadow/files/pam.d/login |    7 -------
> meta/recipes-extended/shadow/shadow.inc        |    2 ++
> 2 files changed, 2 insertions(+), 7 deletions(-)
> 
> diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login
> index e41eb04..e4dacc2 100644
> --- a/meta/recipes-extended/shadow/files/pam.d/login
> +++ b/meta/recipes-extended/shadow/files/pam.d/login
> @@ -26,13 +26,6 @@ auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_secur
> # (Replaces the `NOLOGINS_FILE' option from login.defs)
> auth       requisite  pam_nologin.so
> 
> -# SELinux needs to be the first session rule. This ensures that any 
> -# lingering context has been cleared. Without out this it is possible 
> -# that a module could execute code in the wrong domain.
> -# When the module is present, "required" would be sufficient (When SELinux
> -# is disabled, this returns success.)
> -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
> -
> # This module parses environment configuration file(s)
> # and also allows you to use an extended config
> # file /etc/security/pam_env.conf.
> diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
> index 42f92a7..35bd6a8 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -6,6 +6,8 @@ LICENSE = "BSD | Artistic"
> LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \
>                     file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe"
> 
> +PR = "r1"
> +
> PAM_PLUGINS = "  libpam-runtime \
>                  pam-plugin-faildelay \
>                  pam-plugin-securetty \
> -- 
> 1.6.6.1
> 




^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] shadow: remove selinux entry from pam.d/login
  2011-06-01  9:23 ` Koen Kooi
@ 2011-06-01 17:35   ` Scott Garman
  0 siblings, 0 replies; 4+ messages in thread
From: Scott Garman @ 2011-06-01 17:35 UTC (permalink / raw)
  To: openembedded-core

On 06/01/2011 02:23 AM, Koen Kooi wrote:
> This one is orthogonal to the other shadow patches by the looks of it.

That's how I see it, too.

I'll be making a v2 pull request for my user/group addition code, so if 
your patch makes it into the tree today, I will rebase to it before 
sending my next pull request.

Scott

-- 
Scott Garman
Embedded Linux Engineer - Yocto Project
Intel Open Source Technology Center



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] shadow: remove selinux entry from pam.d/login
  2011-05-31 18:33 [PATCH] shadow: remove selinux entry from pam.d/login Koen Kooi
  2011-06-01  9:23 ` Koen Kooi
@ 2011-06-03  0:21 ` Saul Wold
  1 sibling, 0 replies; 4+ messages in thread
From: Saul Wold @ 2011-06-03  0:21 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer; +Cc: Koen Kooi

On 05/31/2011 11:33 AM, Koen Kooi wrote:
> SElinux has been disabled in the recipe, leading to messages like this:
>
> [  167.643218] login[312]: PAM unable to dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
> [  167.670837] login[312]: PAM adding faulty module: /lib/security/pam_selinux.so
>
> Signed-off-by: Koen Kooi<koen@dominion.thruhere.net>
> ---
>   meta/recipes-extended/shadow/files/pam.d/login |    7 -------
>   meta/recipes-extended/shadow/shadow.inc        |    2 ++
>   2 files changed, 2 insertions(+), 7 deletions(-)
>
> diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login
> index e41eb04..e4dacc2 100644
> --- a/meta/recipes-extended/shadow/files/pam.d/login
> +++ b/meta/recipes-extended/shadow/files/pam.d/login
> @@ -26,13 +26,6 @@ auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_secur
>   # (Replaces the `NOLOGINS_FILE' option from login.defs)
>   auth       requisite  pam_nologin.so
>
> -# SELinux needs to be the first session rule. This ensures that any
> -# lingering context has been cleared. Without out this it is possible
> -# that a module could execute code in the wrong domain.
> -# When the module is present, "required" would be sufficient (When SELinux
> -# is disabled, this returns success.)
> -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
> -
>   # This module parses environment configuration file(s)
>   # and also allows you to use an extended config
>   # file /etc/security/pam_env.conf.
> diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
> index 42f92a7..35bd6a8 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -6,6 +6,8 @@ LICENSE = "BSD | Artistic"
>   LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \
>                       file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe"
>
> +PR = "r1"
> +
>   PAM_PLUGINS = "  libpam-runtime \
>                    pam-plugin-faildelay \
>                    pam-plugin-securetty \
Merged into oe-core

Thanks
	Sau!



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-06-03  0:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-31 18:33 [PATCH] shadow: remove selinux entry from pam.d/login Koen Kooi
2011-06-01  9:23 ` Koen Kooi
2011-06-01 17:35   ` Scott Garman
2011-06-03  0:21 ` Saul Wold

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.