pam: reorder pam_selinux(7) usage (!5) · Merge requests · Debian Qt and KDE Team / Third party / sddm

Christian Göttsche requested to merge cgzones/sddm:pam_selinux into master Jan 18, 2023

Move the pam_selinux.so open call further up the stack such that most session modules are run under the updated security context of the user. Similar to the login(1) pam configuration and fedora run pam_loginuid(8) under the privileged context.

One noticeable change is pam_keyinit(8) being run under the user context (likewise to login(1)) leading to the session key having the security context of the user instead of sddm.

/cc @bigon @etbe @selinux-team

p.s.: see also https://sources.debian.org/src/gdm3/43.0-1/data/pam-redhat/gdm-password.pam/, https://sources.debian.org/src/gdm3/43.0-1/data/pam-redhat/gdm-autologin.pam/, https://sources.debian.org/src/cockpit/283-1/tools/cockpit.debian.pam/, https://sources.debian.org/src/xdm/1:1.1.11-3/debian/xdm.pam/ and ssh-team/openssh!20.

pam: reorder pam_selinux(7) usage

Merge request reports