bab9bb6b69
Create new directories:
ceph
config
config-files
filesystem
kernel
kernel/kernel-modules
ldap
logging
strorage-drivers
tools
utilities
virt
Retire directories:
connectivity
core
devtools
support
extended
Delete two packages:
tgt
irqbalance
Relocated packages:
base/
dhcp
initscripts
libevent
lighttpd
linuxptp
memcached
net-snmp
novnc
ntp
openssh
pam
procps
sanlock
shadow
sudo
systemd
util-linux
vim
watchdog
ceph/
python-cephclient
config/
facter
puppet-4.8.2
puppet-modules
filesystem/
e2fsprogs
nfs-utils
nfscheck
kernel/
kernel-std
kernel-rt
kernel/kernel-modules/
mlnx-ofa_kernel
ldap/
nss-pam-ldapd
openldap
logging/
syslog-ng
logrotate
networking/
lldpd
iproute
mellanox
python-ryu
mlx4-config
python/
python-2.7.5
python-django
python-gunicorn
python-setuptools
python-smartpm
python-voluptuous
security/
shim-signed
shim-unsigned
tboot
strorage-drivers/
python-3parclient
python-lefthandclient
virt/
cloud-init
libvirt
libvirt-python
qemu
tools/
storage-topology
vm-topology
utilities/
tis-extensions
namespace-utils
nova-utils
update-motd
Change-Id: I37ade764d873c701b35eac5881eb40412ba64a86
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
59 lines
2.4 KiB
Diff
59 lines
2.4 KiB
Diff
From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001
|
|
From: Scott Little <scott.little@windriver.com>
|
|
Date: Mon, 2 Oct 2017 15:32:15 -0400
|
|
Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch
|
|
|
|
---
|
|
SOURCES/sshd.pam | 38 +++++++++++++++++++++-----------------
|
|
1 file changed, 21 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam
|
|
index 0f5c061..72303eb 100644
|
|
--- a/SOURCES/sshd.pam
|
|
+++ b/SOURCES/sshd.pam
|
|
@@ -1,20 +1,24 @@
|
|
#%PAM-1.0
|
|
-auth required pam_sepermit.so
|
|
-auth substack password-auth
|
|
-auth include postlogin
|
|
-# Used with polkit to reauthorize users in remote sessions
|
|
--auth optional pam_reauthorize.so prepare
|
|
+
|
|
+auth include common-auth
|
|
account required pam_nologin.so
|
|
-account include password-auth
|
|
-password include password-auth
|
|
-# pam_selinux.so close should be the first session rule
|
|
-session required pam_selinux.so close
|
|
-session required pam_loginuid.so
|
|
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
|
-session required pam_selinux.so open env_params
|
|
-session required pam_namespace.so
|
|
+
|
|
+# SELinux needs to be the first session rule. This ensures that any
|
|
+# lingering context has been cleared. Without out this it is possible
|
|
+# that a module could execute code in the wrong domain.
|
|
+# When the module is present, "required" would be sufficient (When SELinux
|
|
+# is disabled, this returns success.)
|
|
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
|
+
|
|
+account include common-account
|
|
+password include common-password
|
|
session optional pam_keyinit.so force revoke
|
|
-session include password-auth
|
|
-session include postlogin
|
|
-# Used with polkit to reauthorize users in remote sessions
|
|
--session optional pam_reauthorize.so prepare
|
|
+session include common-session
|
|
+session required pam_loginuid.so
|
|
+
|
|
+# SELinux needs to intervene at login time to ensure that the process
|
|
+# starts in the proper default security context. Only sessions which are
|
|
+# intended to run in the user's context should be run after this.
|
|
+# When the module is present, "required" would be sufficient (When SELinux
|
|
+# is disabled, this returns success.)
|
|
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
|
--
|
|
1.9.1
|
|
|