Upgrade to Linux-PAM 0.77 with Security-Enhanced Linux support

(In reply to comment #0)
> It would be great to upgrade the current PAM packages to 0.77, as Manjo S. from
> Debian is doing many work on the deployment of this features in Sid (but now
> focusing on the forthcoming unstable branch).

Typo, he is Manoj Srivastava, sorry.

Cheers,
Lorenzo.

(In reply to comment #0)
> As one of the Hoary goals, the deployment of Security-Enhanced Linux needs both
> userland and kernel space modifications.Userland modifications don't have
> negative impact in the performance, and SELinux can be enabled and disabled in
> runtime and boot time.

Note: SELinux, as documented on the HoaryGoals page in the wiki, was determined
to be too disruptive to enable for the Hoary release, and the work should rather
be done in a derivative distribution before being integrated.

> Current PAM version for both Sid and Hoary is 0.76, which lacks of latest bug
> fixes and extra features.
> Of course it lacks also SELinux support.
>
> I've made available an upgraded packages for Hoary, bringing an updated PAM
> (0.77) with SELinux support, based on Russell Coker's packages, who was the man
> working on SELinux deployment in Debian and did many work on it.

Neither PAM 0.76 nor PAM 0.77 support SELinux without additional patches. Are
the patches incompatible with PAM 0.76? Do the changes from PAM 0.76 to PAM
0.77 justify an exception to the release guidelines documented in the wiki?

(In reply to comment #2)
> (In reply to comment #0)
> > As one of the Hoary goals, the deployment of Security-Enhanced Linux needs both
> > userland and kernel space modifications.Userland modifications don't have
> > negative impact in the performance, and SELinux can be enabled and disabled in
> > runtime and boot time.
>
> Note: SELinux, as documented on the HoaryGoals page in the wiki, was determined
> to be too disruptive to enable for the Hoary release, and the work should rather
> be done in a derivative distribution before being integrated.

SELinux wouldn't be enabled by default in Hoary AFAIK as kernels will come with
selinux=0.

> > Current PAM version for both Sid and Hoary is 0.76, which lacks of latest bug
> > fixes and extra features.
> > Of course it lacks also SELinux support.
> >
> > I've made available an upgraded packages for Hoary, bringing an updated PAM
> > (0.77) with SELinux support, based on Russell Coker's packages, who was the man
> > working on SELinux deployment in Debian and did many work on it.
>
> Neither PAM 0.76 nor PAM 0.77 support SELinux without additional patches. Are
> the patches incompatible with PAM 0.76?

Latest patches come from Fedora's CVS, as userland patches wouldn't be hosted
anymore on the NSA website AFAIK.
Latest are for 0.78, as you can see at
http://cvs.fedora.redhat.com/viewcvs/devel/pam/pam-0.78-selinux.patch?rev=1.1&view=auto.

> Do the changes from PAM 0.76 to PAM
> 0.77 justify an exception to the release guidelines documented in the wiki?

Maybe if we want to achieve the goal of having Hoary at least prepared for
future SELinux
deployment in a reasonable time manner.

But at least, that's Ubuntu's developers decision, as I seem not a visible vocal
user base,
even not a candidate for being to, that's also not my decision, I'm just trying
to help.

Cheers,
Lorenzo.

PAM is a critical package, and I would prefer not to update to a new upstream
version unless it is to incorporate known fixes for bugs.

The SE Linux patch itself is fairly invasive, and I can't assess the risk
easily. I think it makes most sense to do SE Linux development outside the main
Ubuntu repository for packages where it can't be merged with very little risk.
If we are to provide a comprehensive SE Linux feature in a future release, its
development would need to begin earlier in the release cycle. At the start of
the Hoary cycle, there wasn't anyone interested in working on such a project,
but since you seem to be gaining momentum, please bring this up at the kickoff
meeting for the next release.

Updated for Ubuntu Hardened Breezy goals.
Please check :)

We now have pam 0.79 in Dapper including the SELinux patch, thanks to Debian, so I think this bug is fixed.

pam (0.79-1) unstable; urgency=low

  * New upstream version (closes: #284954, #300775).
    - includes some fixes for typos (closes: #319026).
    - pam_unix should now be LSB 3.0-compliant (closes: #323982).
    - fixes segfaults in libpam on config file syntax errors
      (closes: #330097).
  * Drop patches 000_bootstrap, 004_libpam_makefile_static_works,
    011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes,
    025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set,
    033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE,
    035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required,
    041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors,
    051_32_bit_pam_lastlog_ll_time, and
    053_pam_unix_user_known_returns_user_unknown which have been
    integrated upstream.
  * Merge one last bit of patch 053 into patch 043, where it should have
    been in the first place
  * Patch 057: SELinux support:
    - add support to pam_unix for copying SELinux security contexts when
      writing out new passwd/shadow files and creating lockfiles
    - support calling unix_chkpwd if opening /etc/shadow fails due to
      SELinux permissions
    - allow unix_chkpwd to authenticate for any user when in an SELinux
      context (hurray!); we depend on SELinux policies to prevent the
      helper's use as a brute force tool
    - also support querying user expiration info via unix_chkpwd
    - misc cleanup: clean up file descriptors when invoking unix_chkpwd
      (closes: #248310)
    - make pam_rootok check the SELinux passwd class permissions, not just
      the uid
    - add new pam_selinux module (closes: #249499)
  * Build-depend on libselinux1-dev.
  * Fix pam_getenv, so that it can read the actual format of /etc/environment
    instead of trying to read it using the syntax of
    /etc/security/pam_env.conf; thanks to Colin Watson for the patch.
    Closes: #327876.
  * Set LC_COLLATE=C when using alphabetic range expressions in
    debian/rules; bah, so *that's* what kept happening to my README file
    when trying to build out of svn! Closes: #295296.
  * Add a reference to the text of the GPL to debian/copyright.

 -- Steve Langasek <email address hidden> Sun, 25 Sep 2005 22:08:20 -0700