Debian Bug report logs - #661289
gdm3: Please add calls to pam_selinux module in pam files

version graph

Package: gdm3; Maintainer for gdm3 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>; Source for gdm3 is src:gdm3.

Reported by: Laurent Bigonville <bigon@debian.org>

Date: Sat, 25 Feb 2012 23:03:02 UTC

Severity: wishlist

Tags: patch

Found in version gdm3/3.0.4-4

Fixed in version gdm3/3.4.1-1

Done: Josselin Mouette <joss@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#661289; Package gdm3. (Sat, 25 Feb 2012 23:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Laurent Bigonville <bigon@debian.org>:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Sat, 25 Feb 2012 23:03:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Laurent Bigonville <bigon@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gdm3: Please add calls to pam_selinux module in pam files
Date: Sun, 26 Feb 2012 00:00:10 +0100
[Message part 1 (text/plain, inline)]
Package: gdm3
Version: 3.0.4-4
Severity: wishlist
Tags: patch

Hi,

Pam services gdm3 and gdm3-autologin should call pam_selinux module to be
sure the security context of the user is properly set.

The login service is currently doing this and could be used as an
example.

Using 'required' control shouldn't be an issue as pam_selinux module is in
the libpam-modules package which is priority required and thus should be
installed by default.

Cheers

Laurent Bigonville

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gdm3 depends on:
ii  accountsservice                             0.6.15-4
ii  adduser                                     3.113+nmu1
ii  dconf-gsettings-backend                     0.10.0-3
ii  debconf [debconf-2.0]                       1.5.41
ii  gconf2                                      3.2.3-1
ii  gnome-session [x-session-manager]           3.2.1-1
ii  gnome-session-bin                           3.2.1-1
ii  gnome-session-fallback [x-session-manager]  3.2.1-1
ii  gnome-terminal [x-terminal-emulator]        3.2.1-2
ii  gsettings-desktop-schemas                   3.2.0-2
ii  libaccountsservice0                         0.6.15-4
ii  libatk1.0-0                                 2.2.0-2
ii  libattr1                                    1:2.4.46-5
ii  libaudit0                                   1:1.7.18-1.1
ii  libc6                                       2.13-26
ii  libcairo-gobject2                           1.10.2-6.2
ii  libcairo2                                   1.10.2-6.2
ii  libcanberra-gtk3-0                          0.28-3
ii  libcanberra0                                0.28-3
ii  libdbus-1-3                                 1.4.18-1
ii  libdbus-glib-1-2                            0.98-1
ii  libfontconfig1                              2.8.0-3.1
ii  libfreetype6                                2.4.8-1
ii  libgconf2-4                                 3.2.3-1
ii  libgdk-pixbuf2.0-0                          2.24.1-1
ii  libglib2.0-0                                2.30.2-6
ii  libglib2.0-bin                              2.30.2-6
ii  libgtk-3-0                                  3.2.3-1
ii  libpam-modules                              1.1.3-7
ii  libpam-runtime                              1.1.3-7
ii  libpam0g                                    1.1.3-7
ii  libpango1.0-0                               1.29.4-2
ii  librsvg2-common                             2.34.2-2
ii  libselinux1                                 2.1.0-4.1
ii  libupower-glib1                             0.9.15-2
ii  libwrap0                                    7.6.q-23
ii  libx11-6                                    2:1.4.4-4
ii  libxau6                                     1:1.0.6-4
ii  libxdmcp6                                   1:1.1.0-4
ii  libxklavier16                               5.2.1-1
ii  libxrandr2                                  2:1.3.2-2
ii  lsb-base                                    3.2-28.1
ii  metacity [x-window-manager]                 1:2.34.1-2
ii  policykit-1-gnome                           0.105-2
ii  upower                                      0.9.15-2

Versions of packages gdm3 recommends:
ii  at-spi                 1.32.0-1
ii  desktop-base           6.0.7
ii  gnome-icon-theme       3.2.1.2-1
ii  gnome-power-manager    3.2.1-2
ii  gnome-settings-daemon  3.2.2-2
ii  x11-xkb-utils          7.6+4
ii  xserver-xephyr         2:1.11.3.901-2
ii  xserver-xorg           1:7.6+11
ii  zenity                 3.2.0-1

Versions of packages gdm3 suggests:
ii  gnome-mag             <none>
ii  gnome-orca            <none>
ii  gok                   <none>
ii  libpam-gnome-keyring  3.2.2-2
ii  metacity              1:2.34.1-2

-- Configuration Files:
/etc/pam.d/gdm3 changed [not included]

-- debconf information excluded
[gdm_pam_selinux.patch (text/x-diff, attachment)]

Added tag(s) pending. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Fri, 23 Mar 2012 10:39:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#661289; Package gdm3. (Fri, 15 Jun 2012 20:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henrik Ahlgren <pablo@seestieto.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Fri, 15 Jun 2012 20:09:02 GMT) Full text and rfc822 format available.

Message #12 received at 661289@bugs.debian.org (full text, mbox):

From: Henrik Ahlgren <pablo@seestieto.com>
To: 661289@bugs.debian.org
Subject: Is a bug and should be fixed in stable too
Date: Fri, 15 Jun 2012 23:05:20 +0300
When I log in, as a normal user, to a Debian Squeeze system using the
standard Gnome display manager/login (which I believe is gdm3), id -Z
reports "system_u:system_r:initrc_t:s0" as the context. If I log in to
the same machine from a text virtual console (Alt-Ctrl-F1), the context
is "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" which I
believe to be correct.

If I do "setenforce 1", basically every program stops working in the
Gnome environment (and audit.log gets flooded by various avc errors),
and I assume this is caused by the wrong context. In practice, this
prevents me from using SElinux in a desktop setting.

If this indeed happens due to the fact that /etc/pam.d/gdm3 does not
include any selinux modules, I feel this should not be just a wish list
item, but an important bug, that should also be fixed in stable.




Reply sent to Josselin Mouette <joss@debian.org>:
You have taken responsibility. (Wed, 20 Jun 2012 22:51:26 GMT) Full text and rfc822 format available.

Notification sent to Laurent Bigonville <bigon@debian.org>:
Bug acknowledged by developer. (Wed, 20 Jun 2012 22:51:26 GMT) Full text and rfc822 format available.

Message #17 received at 661289-close@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: 661289-close@bugs.debian.org
Subject: Bug#661289: fixed in gdm3 3.4.1-1
Date: Wed, 20 Jun 2012 22:47:35 +0000
Source: gdm3
Source-Version: 3.4.1-1

We believe that the bug you reported is fixed in the latest version of
gdm3, which is due to be installed in the Debian FTP archive:

gdm3_3.4.1-1.debian.tar.gz
  to main/g/gdm3/gdm3_3.4.1-1.debian.tar.gz
gdm3_3.4.1-1.dsc
  to main/g/gdm3/gdm3_3.4.1-1.dsc
gdm3_3.4.1-1_amd64.deb
  to main/g/gdm3/gdm3_3.4.1-1_amd64.deb
gdm3_3.4.1.orig.tar.xz
  to main/g/gdm3/gdm3_3.4.1.orig.tar.xz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661289@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated gdm3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 21 Jun 2012 00:18:36 +0200
Source: gdm3
Binary: gdm3
Architecture: source amd64
Version: 3.4.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description: 
 gdm3       - Next generation GNOME Display Manager
Closes: 580627 610826 648666 650183 655328 656384 661289 661745
Changes: 
 gdm3 (3.4.1-1) unstable; urgency=low
 .
   [ Jordi Mallach ]
   * Update po-up/ca.po.
 .
   [ Josselin Mouette ]
   * gdm3.init: remove .ICEauthority before starting. Closes: #648666.
   * x11-common will now include xhost code to give access to the
     local user if xhost is installed (see #586685).
     + Depend on the appropriate x11-common version.
     + Depend on x11-xserver-utils so that it actually works.
   * New upstream release.
   * Updated build-dependencies: nss, glib.
   * 01_language.patch: dropped, merged upstream.
   * 04_no_fatal_criticals.patch: dropped, obsolete.
   * 07_libexec-paths.patch: removed unused variables/files.
   * 08_frequent-users_greeter.patch: reworked according to upstream
     changes.
   * 10_gdm3_pam.patch: updated for the new version. Do not prefix the
     PAM files for multistack, they have new names anyway.
   * 14_pam_dialog.patch: dropped, upstream merged an improved version.
   * 18_parametrize_create_display.patch: updated for the new version.
   * 19_static_transient_display.patch: unfuzzed.
   * 29_grep_path.patch: dropped, merged upstream.
   * 91_dconf_override.patch: dropped, the configuration generation has
     completely changed.
   * 93_xdg_data_dirs.patch: dropped, similar functionality merged
     upstream.
   * Drop the dconf-gsettings-backend dependency.
   * greeter.gconf-defaults:
     + Drop the g-p-m setting.
   * greeter.gsettings:
     + Force gdm-fallback as the default session.
     + Document how to use gdm-shell.
     + Document how to change the background. Closes: #655328.
   * rules:
     + Generate xx_upstream.gschema.override from the new
       00-upstream-settings file (much simpler).
     + Remove /etc/dconf from the installed files.
     + Drop all development libraries/headers.
     + Explicitly disable introspection.
     + (All of this can be shipped in separate packages if actual
       packages start using this library.)
     + Explicitly disable split authentication, it will not work properly
       with the Debianized PAM stack.
     + Remove the associated PAM files.
     + Disable dh_makeshlibs.
     + Install the dconf stuff in /usr/share/gdm.
   * gdm3.postinst:
     + Remove the old gsettings file upon upgrade.
   * gdm3.links:
     + Remove the old gsettings link.
   * gdm3.init:
     + Replace the gsettings generation by a dconf-based one.
     + Do a conversion for the configuration file so that it remains
       compatible.
   * 92_gsettings_path.patch: updated to force the dconf directory to be
     in the GDM runtime directory.
   * gdm3.install:
     + Stop installing MIME files by hand.
   * 93_private_lib.patch: new patch. Install the shared library in a
     private directory.
   * Break gnome-shell < 3.2 for correct shell support.
   * Suggest gnome-shell.
   * Require g-s-d and metacity, they are no longer optional. Requiring
     g-s-d 3.2 Closes: #656384.
   * Require d-conf 0.10.0-4 to configure the dconf path and parse
     defaults in order.
 .
   [ Laurent Bigonville ]
   * debian/gdm3.pam, debian/gdm3-autologin.pam: Call pam_selinux pam module
     (Closes: #661289)
   * debian/gdm3.pam, debian/gdm3-autologin.pam: Call pam_loginuid pam module
     (Closes: #661745)
 .
   [ Josselin Mouette ]
   * New upstream release.
     + Features the incredible capability to not try endlessly to start
       up X servers when they fail to start.
       Closes: #580627, #610826, #650183.
   * Move login manager defaults from gconf to gsettings.
     + Now we use full path for the icon.
   * Add the metacity default to gsettings too.
   * Require a metacity version which supports gsettings.
   * Get rid of anything related to GConf.
   * Use dh maintscript support to remove the old GConf config file.
   * Force disable systemd support.
   * 06_first_vt.patch, 17_switch_on_finish.patch: refreshed.
   * 07_libexec-paths.patch:
     + Use the binary path as provided by g-s-d.pc.
     + Add a check for gnome-session, which is also used.
   * 10_gdm3_pam.patch: handle the bucket of FAIL that is hardcoding the
     service name in various places since split authentication was
     introduced.
   * 18_parametrize_create_display.patch,
     19_static_transient_display.patch, 20_switch_kill_greeter.patch,
     21_static_display_purge.patch: adapt to systemd/multiseat changes.
   * Require dconf 0.12.1-2.
   * gdm3.post{inst,rm}: add a gdm-welcome PAM service, which is now
     needed for the login session. It's just a symlink.
   * 91_shell_version_control.patch: new patch, Debian-specific. Add
     strict version checking for gnome-shell in order to go to the fall
     back session in case of potential incompatibility.
   * 93_private_lib.patch: also install the typelib file in the private
     directory, and drop the gir file.
   * gdm3.dirs: /usr/lib/gnome-shell
   * rules:
     + Remove pre-built gdm.schemas which includes incorrect settings.
     + Enable introspection.
     + Instruct dh_girepository to look at the typelib file in the right
       place.
     + Add symbolic links for the library and typelib in the gnome-shell
       directory so that it can use them.
   * Add gir (build-)dependencies.
   * 23_start_polkit.patch: new patch. Start the policykit agent in the
     fallback session. Otherwise reboot/shutdown does nothing when
     someone is logged on.
Checksums-Sha1: 
 98602bf2110dea0737d8a390b369fb44fc1551e8 2089 gdm3_3.4.1-1.dsc
 9213fe32643b7dcb79e9026ed0be2372ef275a59 1615612 gdm3_3.4.1.orig.tar.xz
 6fa2aed36b78019430a40acb90eb9251b9f0834e 102344 gdm3_3.4.1-1.debian.tar.gz
 07171bd04ffbde35e97ecd41a49176a35311a08b 1493204 gdm3_3.4.1-1_amd64.deb
Checksums-Sha256: 
 e36bff0c0b2d455d7df7891be0379ecaf55e82b85486fd2019c767b8c92e8264 2089 gdm3_3.4.1-1.dsc
 6292968dff5fc89877b5e1aaa3c7d1484dd3ed2d4f388e935841d053439be665 1615612 gdm3_3.4.1.orig.tar.xz
 a71c9a38ed7d7ca05b8cb644fa02c662aa184a8095f8d3ea9f005d30d619ec59 102344 gdm3_3.4.1-1.debian.tar.gz
 7f11f1a9092f2361220708a05a5cd0d11f42c9834a8b4baae6b17c3fc1d1b21c 1493204 gdm3_3.4.1-1_amd64.deb
Files: 
 1f300f7f41f2aeecd4898dc90ee02ce2 2089 gnome optional gdm3_3.4.1-1.dsc
 fda0470340f9c0bc2f8daccb280af520 1615612 gnome optional gdm3_3.4.1.orig.tar.xz
 6ea2fdc30880252633842c29a0621b23 102344 gnome optional gdm3_3.4.1-1.debian.tar.gz
 82c4ff29f2f2f89fa328711d226afca2 1493204 gnome optional gdm3_3.4.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFP4k60rSla4ddfhTMRArr5AJ9Rd3MIUbwGTQ28uuIy3TaqkpzoLwCeJvjA
rXzAavXtfENtf0GN0C8c+ms=
=l395
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 20 Jul 2012 07:34:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:04:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.