Reorder pam_selinux(7) usage (Closes: #747303)
Move the pam_selinux.so open call further up the stack such that most
session modules are run under the updated security context of the user.
Similar to the login(1) pam configuration and fedora run pam_loginuid(8) under the privileged context.
Since the Debian version of pam_motd(8), due to the addition of the
noupdate option, calls system(3), also call it under the privileged
context, since users should not have permissions to for motd updates.
One noticeable change is pam_keyinit(8) being run under the user context (likewise to login(8)) leading to the session key having the security context of the user instead of sshd:
# current
keyctl security @s
system_u:system_r:sshd_t:s0
# changed
keyctl security @s
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Also sync the comments with the login(8) pam configuration file.
/cc @bigon @etbe @selinux-team
p.s.:
In the current SELinux policy for debian (selinux-policy-debian) this will require an addition of userdom_manage_all_users_keys(sshd_t) (similar to the existing locallogin_t):
type=PROCTITLE msg=audit(16/01/23 21:39:37.099:34) : proctitle=sshd: root [priv]
type=SYSCALL msg=audit(16/01/23 21:39:37.099:34) : arch=x86_64 syscall=keyctl success=no exit=EACCES(Permission denied) a0=0x8 a1=0xfffffffc a2=0xfffffffd a3=0x0 items=0 ppid=515 pid=529 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0 key=(null)
type=AVC msg=audit(16/01/23 21:39:37.099:34) : avc: denied { write } for pid=529 comm=sshd scontext=system_u:system_r:sshd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key permissive=0