On Sun, Jul 25, 2004 at 10:57:39AM +0100, Luke Kenneth Casson Leighton wrote: > there is a minor issue of inter-dependence of packages that may > be resolved by applying the usual debian approach of > "if-it-was-a-config-file-make-it-a-directory". > > the issue is that Debian has to cater for SELinux being > installed and not installed. > > openssh, login, kdm, gdm, su and several other packages all > require "session pam_selinux.so required" to be added to > their respective /etc/pam.d/XXX configurations in order for > SE/Linux to operate correctly. > > Redhat is solving the issue by always enabling SE/Linux by > default. > > Debian has no such luxury. > > therefore, openssh etc. etc. cannot accept upstream patches > to have /etc/pam.d/ssh include that line by default, because > if you do, and pam_selinux.so is not installed, you're hosed. sounds overcomplicated. how about having debian packages Depend: libpam-selinux | libpam-fakeselinux where libpam-selinux is the real selinux module, and libpam-fakeselinux is a fake version which is equivilent to pam_permit, both packages would conflict with each other and provide /lib/security/pam_selinux.so then your packages can just go ahead and include the pam_selinux.so lines in their config files without worry of things blowing up if selinux is not in use. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpjWMbOYTNFN.pgp
Description: PGP signature
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
