Package: gdm3 Version: 3.0.4-4 Severity: wishlist Tags: patch Hi,
Pam services gdm3 and gdm3-autologin should call pam_selinux module to be sure the security context of the user is properly set. The login service is currently doing this and could be used as an example. Using 'required' control shouldn't be an issue as pam_selinux module is in the libpam-modules package which is priority required and thus should be installed by default. Cheers Laurent Bigonville -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gdm3 depends on: ii accountsservice 0.6.15-4 ii adduser 3.113+nmu1 ii dconf-gsettings-backend 0.10.0-3 ii debconf [debconf-2.0] 1.5.41 ii gconf2 3.2.3-1 ii gnome-session [x-session-manager] 3.2.1-1 ii gnome-session-bin 3.2.1-1 ii gnome-session-fallback [x-session-manager] 3.2.1-1 ii gnome-terminal [x-terminal-emulator] 3.2.1-2 ii gsettings-desktop-schemas 3.2.0-2 ii libaccountsservice0 0.6.15-4 ii libatk1.0-0 2.2.0-2 ii libattr1 1:2.4.46-5 ii libaudit0 1:1.7.18-1.1 ii libc6 2.13-26 ii libcairo-gobject2 1.10.2-6.2 ii libcairo2 1.10.2-6.2 ii libcanberra-gtk3-0 0.28-3 ii libcanberra0 0.28-3 ii libdbus-1-3 1.4.18-1 ii libdbus-glib-1-2 0.98-1 ii libfontconfig1 2.8.0-3.1 ii libfreetype6 2.4.8-1 ii libgconf2-4 3.2.3-1 ii libgdk-pixbuf2.0-0 2.24.1-1 ii libglib2.0-0 2.30.2-6 ii libglib2.0-bin 2.30.2-6 ii libgtk-3-0 3.2.3-1 ii libpam-modules 1.1.3-7 ii libpam-runtime 1.1.3-7 ii libpam0g 1.1.3-7 ii libpango1.0-0 1.29.4-2 ii librsvg2-common 2.34.2-2 ii libselinux1 2.1.0-4.1 ii libupower-glib1 0.9.15-2 ii libwrap0 7.6.q-23 ii libx11-6 2:1.4.4-4 ii libxau6 1:1.0.6-4 ii libxdmcp6 1:1.1.0-4 ii libxklavier16 5.2.1-1 ii libxrandr2 2:1.3.2-2 ii lsb-base 3.2-28.1 ii metacity [x-window-manager] 1:2.34.1-2 ii policykit-1-gnome 0.105-2 ii upower 0.9.15-2 Versions of packages gdm3 recommends: ii at-spi 1.32.0-1 ii desktop-base 6.0.7 ii gnome-icon-theme 3.2.1.2-1 ii gnome-power-manager 3.2.1-2 ii gnome-settings-daemon 3.2.2-2 ii x11-xkb-utils 7.6+4 ii xserver-xephyr 2:1.11.3.901-2 ii xserver-xorg 1:7.6+11 ii zenity 3.2.0-1 Versions of packages gdm3 suggests: ii gnome-mag <none> ii gnome-orca <none> ii gok <none> ii libpam-gnome-keyring 3.2.2-2 ii metacity 1:2.34.1-2 -- Configuration Files: /etc/pam.d/gdm3 changed [not included] -- debconf information excluded
diff -Nru gdm3-3.0.4/debian/gdm3-autologin.pam gdm3-3.0.4/debian/gdm3-autologin.pam --- gdm3-3.0.4/debian/gdm3-autologin.pam 2011-10-14 14:25:16.000000000 +0200 +++ gdm3-3.0.4/debian/gdm3-autologin.pam 2012-02-25 23:57:03.000000000 +0100 @@ -3,8 +3,16 @@ auth required pam_succeed_if.so user != root quiet_success auth required pam_permit.so @include common-account +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +session required pam_selinux.so close session required pam_limits.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale @include common-session +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session required pam_selinux.so open @include common-password diff -Nru gdm3-3.0.4/debian/gdm3.pam gdm3-3.0.4/debian/gdm3.pam --- gdm3-3.0.4/debian/gdm3.pam 2011-10-14 14:25:16.000000000 +0200 +++ gdm3-3.0.4/debian/gdm3.pam 2012-02-25 23:55:27.000000000 +0100 @@ -4,9 +4,17 @@ @include common-auth auth optional pam_gnome_keyring.so @include common-account +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +session required pam_selinux.so close session required pam_limits.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale @include common-session +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session required pam_selinux.so open session optional pam_gnome_keyring.so auto_start @include common-password
