1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
--- a/data/pam/lightdm
+++ b/data/pam/lightdm
@@ -1,20 +1,35 @@
#%PAM-1.0
# Block login if they are globally disabled
-auth required pam_nologin.so
+auth requisite pam_nologin.so
# Load environment from /etc/environment and ~/.pam_environment
-auth required pam_env.so
+auth required pam_env.so envfile=/etc/default/locale
-# Use /etc/passwd and /etc/shadow for passwords
-auth required pam_unix.so
+@include common-auth
-# Check account is active, change password if required
-account required pam_unix.so
+-auth optional pam_gnome_keyring.so
-# Allow password to be changed
-password required pam_unix.so
+@include common-account
-# Setup session
-session required pam_unix.so
-session optional pam_systemd.so
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+session required pam_limits.so
+session required pam_loginuid.so
+@include common-session
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+-session optional pam_gnome_keyring.so auto_start
+
+@include common-password
--- a/data/pam/lightdm-greeter
+++ b/data/pam/lightdm-greeter
@@ -1,7 +1,7 @@
#%PAM-1.0
# Load environment from /etc/environment and ~/.pam_environment
-auth required pam_env.so
+auth required pam_env.so envfile=/etc/default/locale
# Always let the greeter start without authentication
auth required pam_permit.so
--- a/data/pam/lightdm-autologin
+++ b/data/pam/lightdm-autologin
@@ -1,20 +1,35 @@
#%PAM-1.0
# Block login if they are globally disabled
-auth required pam_nologin.so
+auth requisite pam_nologin.so
# Load environment from /etc/environment and ~/.pam_environment
-auth required pam_env.so
+auth required pam_env.so envfile=/etc/default/locale
# Allow access without authentication
auth required pam_permit.so
-# Stop autologin if account requires action
-account required pam_unix.so
+@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+session required pam_limits.so
+session required pam_loginuid.so
+@include common-session
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
# Can't change password
password required pam_deny.so
-# Setup session
-session required pam_unix.so
-session optional pam_systemd.so
+@include common-password
|
