From: Saul Wold <sgw@linux.intel.com>
To: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Cc: Koen Kooi <koen@dominion.thruhere.net>
Subject: Re: [PATCH] shadow: remove selinux entry from pam.d/login
Date: Thu, 02 Jun 2011 17:21:15 -0700 [thread overview]
Message-ID: <4DE828FB.6030903@linux.intel.com> (raw)
In-Reply-To: <1306866804-12443-1-git-send-email-koen@dominion.thruhere.net>
On 05/31/2011 11:33 AM, Koen Kooi wrote:
> SElinux has been disabled in the recipe, leading to messages like this:
>
> [ 167.643218] login[312]: PAM unable to dlopen(/lib/security/pam_selinux.so): /lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
> [ 167.670837] login[312]: PAM adding faulty module: /lib/security/pam_selinux.so
>
> Signed-off-by: Koen Kooi<koen@dominion.thruhere.net>
> ---
> meta/recipes-extended/shadow/files/pam.d/login | 7 -------
> meta/recipes-extended/shadow/shadow.inc | 2 ++
> 2 files changed, 2 insertions(+), 7 deletions(-)
>
> diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login
> index e41eb04..e4dacc2 100644
> --- a/meta/recipes-extended/shadow/files/pam.d/login
> +++ b/meta/recipes-extended/shadow/files/pam.d/login
> @@ -26,13 +26,6 @@ auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_secur
> # (Replaces the `NOLOGINS_FILE' option from login.defs)
> auth requisite pam_nologin.so
>
> -# SELinux needs to be the first session rule. This ensures that any
> -# lingering context has been cleared. Without out this it is possible
> -# that a module could execute code in the wrong domain.
> -# When the module is present, "required" would be sufficient (When SELinux
> -# is disabled, this returns success.)
> -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
> -
> # This module parses environment configuration file(s)
> # and also allows you to use an extended config
> # file /etc/security/pam_env.conf.
> diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
> index 42f92a7..35bd6a8 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -6,6 +6,8 @@ LICENSE = "BSD | Artistic"
> LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \
> file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe"
>
> +PR = "r1"
> +
> PAM_PLUGINS = " libpam-runtime \
> pam-plugin-faildelay \
> pam-plugin-securetty \
Merged into oe-core
Thanks
Sau!
prev parent reply other threads:[~2011-06-03 0:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-31 18:33 [PATCH] shadow: remove selinux entry from pam.d/login Koen Kooi
2011-06-01 9:23 ` Koen Kooi
2011-06-01 17:35 ` Scott Garman
2011-06-03 0:21 ` Saul Wold [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DE828FB.6030903@linux.intel.com \
--to=sgw@linux.intel.com \
--cc=koen@dominion.thruhere.net \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.