On Thu, 2020-07-09 at 13:41 +0200, Dominick Grift wrote: > Change references to pam_selinux_permit to pam_sepermit > Replace gdm-password with sshd PAM configuration (from Fedora 33) as > pam_sepermit in the existing example might not always work correctly > when called from the auth section: > https://bugzilla.redhat.com/show_bug.cgi?id=1492313 > Reference the pam_selinux(8) and pam_sepermit(8) manuals > > Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx> > --- > src/pam_login.md | 50 ++++++++++++++++++++++---------------------- > ---- > 1 file changed, 23 insertions(+), 27 deletions(-) > Acked-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > diff --git a/src/pam_login.md b/src/pam_login.md > index 0c5a256..213a9f3 100644 > --- a/src/pam_login.md > +++ b/src/pam_login.md > @@ -68,41 +68,37 @@ consist of multiple lines of information that are > formatted as follows: > </tbody> > </table> > > -The */etc/pam.d/gdm-password* PAM configuration file for the Gnome > login > +The */etc/pam.d/sshd* PAM configuration file for the OpenSSH > service is as follows: > > ``` > -auth [success=done ignore=ignore default=bad] > pam_selinux_permit.so > -auth substack password-auth > -auth optional pam_gnome_keyring.so > -auth include postlogin > - > -account required pam_nologin.so > -account include password-auth > - > -password substack password-auth > --password optional pam_gnome_keyring.so use_authtok > - > -session required pam_selinux.so close > -session required pam_loginuid.so > -session optional pam_console.so > -session required pam_selinux.so open > -session optional pam_keyinit.so force revoke > -session required pam_namespace.so > -session include password-auth > -session optional pam_gnome_keyring.so auto_start > -session include postlogin > +#%PAM-1.0 > + > +auth substack password-auth > +auth include postlogin > +account required pam_sepermit.so > +account required pam_nologin.so > +account include password-auth > +password include password-auth > +session required pam_selinux.so close > +session required pam_loginuid.so > +session required pam_selinux.so open > +session required pam_namespace.so > +session optional pam_keyinit.so force revoke > +session optional pam_motd.so > +session include password-auth > +session include postlogin > ``` > > The core services are provided by PAM, however other library modules > can > be written to manage specific services such as support for SELinux. > The > -SELinux PAM modules use the *libselinux* API to obtain its > configuration > -information and the three SELinux PAM entries highlighted in the > above > -configuration file perform the following functions: > +***pam_sepermit**(8)* and ***pam_selinux**(8)* SELinux PAM modules > use > +the *libselinux* API to obtain its configuration information and the > +three SELinux PAM entries highlighted in the above configuration > file > +perform the following functions: > > -- ***pam_selinux_permit.so*** - Allows pre-defined users the > ability to > - logon without a password provided that SELinux is in enforcing > mode (see > - the > +- ***pam_sepermit.so*** - Allows pre-defined users the ability to > + logon provided that SELinux is in enforcing mode (see the > [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuri > tysepermit.conf) > section). > - ***pam_selinux.so open*** - Allows a security context to be set > up for
