From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001 From: Scott Little Date: Mon, 2 Oct 2017 15:32:15 -0400 Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch --- SOURCES/sshd.pam | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam index 0f5c061..72303eb 100644 --- a/SOURCES/sshd.pam +++ b/SOURCES/sshd.pam @@ -1,20 +1,24 @@ #%PAM-1.0 -auth required pam_sepermit.so -auth substack password-auth -auth include postlogin -# Used with polkit to reauthorize users in remote sessions --auth optional pam_reauthorize.so prepare + +auth include common-auth account required pam_nologin.so -account include password-auth -password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params -session required pam_namespace.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +account include common-account +password include common-password session optional pam_keyinit.so force revoke -session include password-auth -session include postlogin -# Used with polkit to reauthorize users in remote sessions --session optional pam_reauthorize.so prepare +session include common-session +session required pam_loginuid.so + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -- 1.9.1