shadow-utils: Update SELinux and loginuid session entries.

The current pam.d config sets the loginuid by su/sudo. The loginuid should always reflect the UID that the user logged in as. Add pam_selinux.so to login configs so users will have the correct SELinux context on their session. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2021-09-09 19:20:02 +00:00 · 2021-09-09 19:20:02 +00:00 · f4a923205f
--- a/SPECS/shadow-utils/pam.d/login
+++ b/SPECS/shadow-utils/pam.d/login
@ -23,6 +23,12 @@ account   required    pam_access.so
 # include the default account settings
 account   include     system-account

+# pam_selinux.so close should be the first session rule
+session   required    pam_selinux.so close
+
+# set audit loginuid for the user
+session   required    pam_loginuid.so
+
 # Set default environment variables for the user
 session   required    pam_env.so

@ -40,6 +46,10 @@ session   required    pam_limits.so

 # include the default session and password settings
 session   include     system-session
+
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session   required    pam_selinux.so open
+
 password  include     system-password

 # End /etc/pam.d/login
--- a/SPECS/shadow-utils/pam.d/sshd
+++ b/SPECS/shadow-utils/pam.d/sshd
@ -3,7 +3,17 @@
 auth            include         system-auth
 account         include         system-account
 password        include         system-password
+
+# pam_selinux.so close should be the first session rule
+session         required        pam_selinux.so close
+
+# set audit loginuid for the user
+session         required        pam_loginuid.so
+
 session         include         system-session

+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session         required        pam_selinux.so open
+
 # End /etc/pam.d/sshd

--- a/SPECS/shadow-utils/pam.d/system-session
+++ b/SPECS/shadow-utils/pam.d/system-session
@ -3,6 +3,5 @@
 session   required    pam_unix.so
 session   required    pam_limits.so
 session   optional    pam_systemd.so
-session   optional    pam_loginuid.so

 # End /etc/pam.d/system-session
--- a/SPECS/shadow-utils/shadow-utils.signatures.json
+++ b/SPECS/shadow-utils/shadow-utils.signatures.json
@ -2,17 +2,17 @@
 "Signatures": {
  "chage": "7c150a795713d1b3a47a93f835bf415c281e9053405299c6320cd7cb5af40c48",
  "chpasswd": "50f35a317009f0a24a0d579c23f7296a87734ecd6ce5d5f7fa8e2ebee7acd4c4",
-  "login": "ea50ed3eb831f405d65bdef2f01aee9f8899f7e689a4c6c9f420ca1f670ac6ce",
+  "login": "dd52d528a7d36494357c55c6c3a9c8836fb45d4c5f47a2c58e811cf133a14bf8",
  "login-defs": "ed6b875273ed7e817db4315bac451847a415768ed0f0df948cf8e06c0a3fec8b",
  "other": "461e53f138a8e5d1ed20033f8d9363c56f2187ce2a0551d57860140da40e1697",
  "passwd": "9a5ed6eb156b0bafc462056ec22f0ee8d2a2c7507af79d41f8a71c268806c4c6",
  "shadow-4.9.tar.xz": "feec1f2ce9c1b62798afd35a7d1b04cefdfa3a0a30ff3e75d6965ba8978c9144",
-  "sshd": "85b5c5146c920146d1c0ada62b9bfeefec797023bff7c486f034a6f6faad0202",
+  "sshd": "6a393d2c1810e584a6195e6229535184b46bf4cd42fd6d0daab9a110f1525f99",
  "su": "c7f5f066e5e021deae9dd72cc897240cfdef869da33148f19c8d5e13f5bd0510",
  "system-account": "a8295e4780b323cac83ca08c65c8cd47ca26e516d64ed857fd3f4ac1f1a8ccc4",
  "system-auth": "da912d0b5fe0ee9d70403ca88402974f2c24b6dfeb2c8adc037c72297a859590",
  "system-password": "644e12cde448e732edde812abef10f4e16ef0f8d41c0cdf60e3ad30adf37cdeb",
-  "system-session": "6f23e44b3af0ac754494aee8a6ce4f3a203020dbff7a6ea5de3b75bad3b2f6ab",
+  "system-session": "48bec4f01054f6821e8da1e9aa884220325ea6816751a9a9229088a52e04fba9",
  "useradd-default": "b239b5620f0c23ef901ea19172e60e38322abbe366e04c94d03ca08f5b936125"
 }
 }
--- a/SPECS/shadow-utils/shadow-utils.spec
+++ b/SPECS/shadow-utils/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary:        Programs for handling passwords in a secure way
 Name:           shadow-utils
 Version:        4.9
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -23,20 +23,21 @@ Source12:       useradd-default
 Source13:       login-defs
 Patch0:         chkname-allowcase.patch
 Patch1:         libsubid-pam-link.patch
+BuildRequires:  %{_bindir}/xsltproc
+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  cracklib
 BuildRequires:  cracklib-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  libsemanage-devel
-BuildRequires:  pam-devel
-BuildRequires:  autoconf
-BuildRequires:  automake
 BuildRequires:  libtool
+BuildRequires:  pam-devel
 Requires:       cracklib
+Requires:       libselinux
+Requires:       libsemanage
 Requires:       pam
 Provides:       /sbin/nologin
 Provides:       passwd = %{version}-%{release}
-Requires:       libselinux
-Requires:       libsemanage

 %description
 The Shadow package contains programs for handling passwords
@ -181,6 +182,11 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libsubid.so

 %changelog
+* Thu Sep 16 2021 Chris PeBenito <chpebeni@microsoft.com> - 4.9-3
+- Update pam.d configuration for SELinux logins.
+- Change loginuid to be set only on logins.
+- Add missing BuildRequires for xsltproc.
+
 * Fri Sep 10 2021 Thomas Crain <thcrain@microsoft.com> - 4.9-2
 - Update system-password PAM config to use pam_pwquality.so instead of removed pam_cracklib.so
 - Add license to subid subpackage
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -587,10 +587,10 @@ rpm-libs-4.14.2.1-4.cm2.aarch64.rpm
 sed-4.5-3.cm2.aarch64.rpm
 sed-debuginfo-4.5-3.cm2.aarch64.rpm
 sed-lang-4.5-3.cm2.aarch64.rpm
-shadow-utils-4.9-2.cm2.aarch64.rpm
-shadow-utils-debuginfo-4.9-2.cm2.aarch64.rpm
-shadow-utils-subid-4.9-2.cm2.aarch64.rpm
-shadow-utils-subid-devel-4.9-2.cm2.aarch64.rpm
+shadow-utils-4.9-3.cm2.aarch64.rpm
+shadow-utils-debuginfo-4.9-3.cm2.aarch64.rpm
+shadow-utils-subid-4.9-3.cm2.aarch64.rpm
+shadow-utils-subid-devel-4.9-3.cm2.aarch64.rpm
 sqlite-3.34.1-1.cm2.aarch64.rpm
 sqlite-debuginfo-3.34.1-1.cm2.aarch64.rpm
 sqlite-devel-3.34.1-1.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -587,10 +587,10 @@ rpm-libs-4.14.2.1-4.cm2.x86_64.rpm
 sed-4.5-3.cm2.x86_64.rpm
 sed-debuginfo-4.5-3.cm2.x86_64.rpm
 sed-lang-4.5-3.cm2.x86_64.rpm
-shadow-utils-4.9-2.cm2.x86_64.rpm
-shadow-utils-debuginfo-4.9-2.cm2.x86_64.rpm
-shadow-utils-subid-4.9-2.cm2.x86_64.rpm
-shadow-utils-subid-devel-4.9-2.cm2.x86_64.rpm
+shadow-utils-4.9-3.cm2.x86_64.rpm
+shadow-utils-debuginfo-4.9-3.cm2.x86_64.rpm
+shadow-utils-subid-4.9-3.cm2.x86_64.rpm
+shadow-utils-subid-devel-4.9-3.cm2.x86_64.rpm
 sqlite-3.34.1-1.cm2.x86_64.rpm
 sqlite-debuginfo-3.34.1-1.cm2.x86_64.rpm
 sqlite-devel-3.34.1-1.cm2.x86_64.rpm