Created attachment 325524 [details] Output of emerge --info Hi, hope that this is not duplicate or something stupid, but recently I have migrated to SELinux profile: default/linux/amd64/10.0/selinux. I have noticed that my context after opening an konsole terminal is: system_u:system_r:xdm_t which effectively prohibited me from changing to staff_r/sysadm_r via newrole. I googled a bit and found a solution/gentoo BUG 393329: http://gentoo.2317880.n4.nabble.com/Gnome-wrong-Selinux-user-role-td160492.html https://393329.bugs.gentoo.org/attachment.cgi?id=294905 I have applied it to /etc/pam.d/kde and now the context is correct: staff_u:staff_r:staff_t Shouldn't it be made default for KDE to ? Thx for a reply.
There's another bug lingering somewhere about including the system-login pam configuration in other pam configs (like kdm/xdm) to automatically inherit the SELinux stuff. Perhaps that's a possibility here as well?
Thanks for reporting. New version masked in kde overlay available. Please note that this version bump addresses bug #422495 also. http://git.overlays.gentoo.org/gitweb/?p=proj/kde.git;a=commit;h=bb0a90872c54b1a4314bed80d69e9763582cd44c
(In reply to comment #2) > Thanks for reporting. New version masked in kde overlay available. Please > note that this version bump addresses bug #422495 also. > > http://git.overlays.gentoo.org/gitweb/?p=proj/kde.git;a=commit; > h=bb0a90872c54b1a4314bed80d69e9763582cd44c Unmasked in overlay. Please give feedback.
This appears to break my kwallet. Syslog has following messages: Nov 01 14:41:57 [kcheckpass] PAM unable to dlopen(/lib64/security/pam_selinux.so): /lib64/security/pam_selinux.so: cannot open shared object file: No such file or directory Nov 01 14:41:57 [kcheckpass] PAM adding faulty module: /lib64/security/pam_selinux.so It lists the same message earlier for kdm. In addition I get a message box when KDM starts, that it is going to login my user. This was not there previously. I use autologin without a password.
Yes, referencing a pam module in the configuration files requires that the module is available / exists, regardless of the call (optional/required/requisite/...). I also couldn't find a directive to have it being ignored. Would it make sense to include system-login? If we have a SELinux profile, then we patch system-login to call the pam_selinux.so. And if not, then we don't. By including the system-login PAM configuration, you can abstract yourself from the SELinux stuff. *But* you must make sure that the content of system-login (for PAM) matches what you want. After all, we are talking about authentication here, don't want to mess that up...
Better late than never :) Ebuild works for me.
Thanks all, overlay version is moved to the tree. + 03 May 2013; Johannes Huber <johu@gentoo.org> +files/kde-np.pam-9, + +files/kde.pam-9, +kdebase-pam-9.ebuild: + Version bump, fixes bugs #422495, #436948. Thanks to all who were involved.