IDEA: /etc/pam.d/*/*
Ethan Benson
erbenson at alaska.net
Sun Jul 25 10:11:23 UTC 2004
On Sun, Jul 25, 2004 at 10:57:39AM +0100, Luke Kenneth Casson Leighton wrote:
> there is a minor issue of inter-dependence of packages that may
> be resolved by applying the usual debian approach of
> "if-it-was-a-config-file-make-it-a-directory".
>
> the issue is that Debian has to cater for SELinux being
> installed and not installed.
>
> openssh, login, kdm, gdm, su and several other packages all
> require "session pam_selinux.so required" to be added to
> their respective /etc/pam.d/XXX configurations in order for
> SE/Linux to operate correctly.
>
> Redhat is solving the issue by always enabling SE/Linux by
> default.
>
> Debian has no such luxury.
>
> therefore, openssh etc. etc. cannot accept upstream patches
> to have /etc/pam.d/ssh include that line by default, because
> if you do, and pam_selinux.so is not installed, you're hosed.
sounds overcomplicated.
how about having debian packages Depend: libpam-selinux | libpam-fakeselinux
where libpam-selinux is the real selinux module, and
libpam-fakeselinux is a fake version which is equivilent to
pam_permit, both packages would conflict with each other and provide
/lib/security/pam_selinux.so
then your packages can just go ahead and include the pam_selinux.so
lines in their config files without worry of things blowing up if
selinux is not in use.
--
Ethan Benson
http://www.alaska.net/~erbenson/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20040725/4ff7e139/attachment.sig>
More information about the Pam-list
mailing list