Package Details: pam-selinux 1.5.2-1

Git Clone URL: https://aur.archlinux.org/pam-selinux.git (read-only, click to copy)
Package Base: pam-selinux
Description: SELinux aware PAM (Pluggable Authentication Modules) library
Upstream URL: http://linux-pam.org
Keywords: selinux
Licenses: GPL2
Conflicts: pam, selinux-pam
Provides: libpam.so, libpamc.so, libpam_misc.so, pam, selinux-pam
Submitter: Siosm
Maintainer: IooNag
Last Packager: IooNag
Votes: 23
Popularity: 0.32
First Submitted: 2013-11-03 20:05 (UTC)
Last Updated: 2021-09-25 18:56 (UTC)

Pinned Comments

IooNag commented on 2021-10-10 19:27 (UTC)

WARNING: When upgrading a system using pam-selinux, it is recommended to keep a root shell open in a different session/terminal to fix issues, as the authentication system could break when a dependency is updated. For example when libnsl 2.0.0 was released, /usr/lib/security/pam_unix.so could no longer be loaded and pam-selinux needed to be rebuilt/updated in order to fix the authentication system.

Latest Comments

IooNag commented on 2021-12-02 20:03 (UTC) (edited on 2021-12-02 20:04 (UTC) by IooNag)

AkechiShiro: this key is part of the GPG key 296D6F29A020808E8717A8842DB5BD89A340AEB7 owned by "Dmitry V. Levin ldv@altlinux.org". You can find it on https://keyserver.ubuntu.com/pks/lookup?search=0x296D6F29A020808E8717A8842DB5BD89A340AEB7&fingerprint=on&op=index and I mirrored it in https://github.com/archlinuxhardened/selinux/blob/master/_pgp_cache/296D6F29A020808E8717A8842DB5BD89A340AEB7.asc . To fix your issue, you can use one of the following command (whichever works on your system/network):

gpg --recv-key 0x296D6F29A020808E8717A8842DB5BD89A340AEB7
curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x296d6f29a020808e8717a8842db5bd89a340aeb7' | gpg --import
curl 'https://raw.githubusercontent.com/archlinuxhardened/selinux/master/_pgp_cache/296D6F29A020808E8717A8842DB5BD89A340AEB7.asc' | gpg --import

AkechiShiro commented on 2021-11-18 23:44 (UTC)

I'm hitting this error : Linux-PAM-1.5.2.tar.xz ... FAILED (unknown public key A8041FA839E16E36) could someone tell me how should I solve this ?

IooNag commented on 2021-10-10 19:27 (UTC)

WARNING: When upgrading a system using pam-selinux, it is recommended to keep a root shell open in a different session/terminal to fix issues, as the authentication system could break when a dependency is updated. For example when libnsl 2.0.0 was released, /usr/lib/security/pam_unix.so could no longer be loaded and pam-selinux needed to be rebuilt/updated in order to fix the authentication system.

NobodyDBG commented on 2021-10-03 14:08 (UTC)

Hi, after install this update I can't get login in system. I'm tried with Arch-Chroot but when I try "su user" the terminal shows "No modules". Can't rebuild it because makepkg don't work as root.

Any solution how to fix it. I read this warning to late.

leuko commented on 2021-09-16 21:38 (UTC)

libnsl got updated, so this package has to be recompiled. Otherwise you may not be able to login due to PAM errors.

IooNag commented on 2021-04-30 20:36 (UTC)

yar: there was indeed a bug in the PKGBUILD of pam-selinux. I probably fixed it in https://aur.archlinux.org/cgit/aur.git/commit/?h=pam-selinux&id=b156403746cf6d81e6737e8151faecaea7d0c627 and now pam-selinux package declares that it provides libpam.so=0-64. Does it fix your issue?

yar commented on 2021-04-30 06:42 (UTC) (edited on 2021-04-30 06:44 (UTC) by yar)

resolving dependencies...
looking for conflicting packages...
warning: removing 'pam' from target list because it conflicts with 'pam-selinux'
error: failed to prepare transaction (could not satisfy dependencies)
:: unable to satisfy dependency 'libpam.so=0-64' required by xscreensaver

This seems to conflict with xscreensaver now that they depend on libpam.so https://github.com/archlinux/svntogit-packages/commit/99c589cbcf3a1527a6751cf0d8ef2f298a036896

I'm not sure how to resolve this.

JoSSa commented on 2019-03-19 12:17 (UTC)

Yes, using 4.20.16.a-1-hardened. I have not been using linux-selinux anymore.

IooNag commented on 2019-03-17 14:19 (UTC)

JoSSa: which kernel are you using? On the virtual machine that I am using for tests, "passwd vagrant" works fine with linux-selinux (4.19.9.arch1-1) but not with linux-hardened (version 4.20.16.a-1-hardened). On this second kernel:

strace -e execve -f -s1024 passwd vagrant

execve("/usr/bin/passwd", ["passwd", "vagrant"], 0x7a1596282228 / 33 vars /) = 0 strace: Process 422 attached [pid 422] execve("/usr/bin/unix_chkpwd", ["/usr/bin/unix_chkpwd", "vagrant", "nullok"], 0x63ffd6b553e0 / 0 vars /) = -1 ENOMEM (Cannot allocate memory) [pid 422] --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- [pid 422] +++ killed by SIGSEGV +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=422, si_uid=0, si_status=SIGSEGV, si_utime=3, si_stime=14} --- strace: Process 423 attached [pid 423] execve("/usr/bin/unix_chkpwd", ["/usr/bin/unix_chkpwd", "vagrant", "chkexpiry"], 0x63ffd6b513a8 / 0 vars /) = -1 ENOMEM (Cannot allocate memory) [pid 423] --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- [pid 423] +++ killed by SIGSEGV +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=423, si_uid=0, si_status=SIGSEGV, si_utime=1, si_stime=15} --- passwd: Authentication failure passwd: password unchanged +++ exited with 10 +++

What could make execve() syscall return ENOMEM?

JoSSa commented on 2019-03-02 03:56 (UTC)

Successfully compiled. But when I use "passwd <someuser>" as root, I get:

passwd: Authentication failure passwd: password unchanged

even in selinux permissive mode. In the log file the error is (XXXX is my machine hostname):

Mar 01 22:46:23 XXXXX audit[1065]: ANOM_ABEND auid=1000 uid=0 gid=0 ses=3 subj=staff_u:staff_r:chkpwd_t:s0 pid=1065 comm="unix_chkpwd" exe="/usr/bin/unix_chkpwd" sig=11 res=1 Mar 01 22:46:23 XXXXX passwd[1063]: pam_unix(passwd:chauthtok): unix_chkpwd abnormal exit: 11

IooNag commented on 2019-02-23 08:42 (UTC)

@larrybowgensloth I successfully build the package today. What error have you got? Could you try building Arch Linux's official pam package?

larrybowgensloth commented on 2019-02-23 01:17 (UTC)

Sadly this doesn't compile anymore.

Siosm commented on 2014-01-02 21:49 (UTC)

Renamed to pam-selinux

skorgon commented on 2013-05-11 17:01 (UTC)

I can confirm, the updated release fixes the issue.

Nicky726 commented on 2013-05-11 15:16 (UTC)

I upgraded the package, so that it is now based on version 1.1.6-3 currently in [core]. I can log in without problems now. It seems to me, that a rebuild was needed due to libtirpc upgrade.

skorgon commented on 2013-05-11 05:42 (UTC)

This package and/or selinux-pam-base just prevented me from login to my system (gfx + tty). journal with selinux-pam + selinux-pam-base May 10 22:11:34 skorgonTP kdm[388]: :0[388]: PAM unable to dlopen(/usr/lib/security/pam_selinux.so): /usr/lib/security/pam_selinux.so: cannot open shared object file: No such file or directory May 10 22:11:34 skorgonTP kdm[388]: :0[388]: PAM adding faulty module: /usr/lib/security/pam_selinux.so May 10 22:11:34 skorgonTP kdm[388]: :0[388]: pam_unix(kde:session): session opened for user skorgon by (uid=0) May 10 22:11:34 skorgonTP systemd-logind[329]: New session 1 of user skorgon. May 10 22:11:34 skorgonTP systemd-logind[329]: Linked /tmp/.X11-unix/X0 to /run/user/1000/X11-display. May 10 22:11:34 skorgonTP kdm[388]: :0[388]: pam_open_session() for skorgon failed: Module is unknown May 10 22:11:34 skorgonTP kdm[388]: :0[388]: Client start failed May 10 20:42:45 skorgonTP login[340]: PAM unable to dlopen(/usr/lib/security/pam_unix.so): /usr/lib/security/pam_unix.so: undefined symbol: log_debug May 10 20:42:45 skorgonTP login[340]: PAM adding faulty module: /usr/lib/security/pam_unix.so May 10 20:42:45 skorgonTP login[340]: FAILED LOGIN SESSION FROM tty1 FOR root, Module is unknown journal with stock pam + selinux-pam-base: May 10 22:11:39 skorgonTP kdm[502]: :0[502]: PAM unable to dlopen(/usr/lib/security/pam_selinux.so): /usr/lib/security/pam_selinux.so: cannot open shared object file: No such file or directory May 10 22:11:39 skorgonTP kdm[502]: :0[502]: PAM adding faulty module: /usr/lib/security/pam_selinux.so May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_unix(kde:session): session opened for user skorgon by (uid=0) May 10 22:11:39 skorgonTP systemd-logind[329]: New session 2 of user skorgon. May 10 22:11:39 skorgonTP systemd-logind[329]: Linked /tmp/.X11-unix/X0 to /run/user/1000/X11-display. May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_open_session() for skorgon failed: Module is unknown May 10 22:11:39 skorgonTP kdm[502]: :0[502]: Client start failed May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_unix(kde:session): session closed for user skorgon May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_close_session() failed: Module is unknown May 10 22:11:39 skorgonTP systemd-logind[329]: Removed session 2. May 10 22:11:41 skorgonTP dhclient[493]: XMT: Solicit on wlp3s0, interval 8110ms. May 10 22:11:41 skorgonTP dhclient[493]: RCV: Advertise message on wlp3s0 from fe80::1e14:48ff:fe5f:1a20. May 10 22:11:41 skorgonTP dhclient[493]: message status code NoAddrsAvail: "No addresses available for this interface." May 10 22:11:44 skorgonTP login[336]: PAM unable to dlopen(/usr/lib/security/pam_selinux.so): /usr/lib/security/pam_selinux.so: cannot open shared object file: No such file or directory May 10 22:11:44 skorgonTP login[336]: PAM adding faulty module: /usr/lib/security/pam_selinux.so May 10 22:11:47 skorgonTP login[336]: pam_unix(login:session): session opened for user root by LOGIN(uid=0) May 10 22:11:47 skorgonTP systemd-logind[329]: New session 3 of user root. May 10 22:11:47 skorgonTP login[336]: Module is unknown

xangelux commented on 2013-02-25 16:13 (UTC)

it seems that the file contains that functions and it complains about re-defining a functions as well as getting the function parameters wrong, so I assume the function was added to the selinux packages with the correct parameters so I deleted the function and it builded properly. As I read pam_unix2 is in charge of checking the password in shadow and passwd so if it doesn't work anybody could notice in a sudo, su or even a login (I assume). Not sure if I'm correct but so far I'm ussing that hack and nothing has gone wrong. I'm considering reporting it as a bug to arch devs.

Nicky726 commented on 2013-02-25 10:33 (UTC)

Unfortunately, I had no luck applying this patch either, but I have recreated it and this time the aplication and build succeeded. Not sure what does the removal of the function do to the functionality of pam_unix2 though. Updated version uploaded, I have not changed pkgrel to correspond to the version in [core].

xangelux commented on 2013-02-24 20:34 (UTC)

I edited the patch to work with your files http://pastebin.com/0HMgS05n

xangelux commented on 2013-02-24 20:25 (UTC)

nevermind, I used a proxy :)

xangelux commented on 2013-02-24 20:24 (UTC)

it seems that pastebin is blocked on my country (I don't know why) can you post it somewhere else? (i.e. pastie or gist on github)

Nicky726 commented on 2013-02-24 20:21 (UTC)

This is it: http://pastebin.com/PS8de8qP

xangelux commented on 2013-02-24 16:43 (UTC)

It worked for me, can you post your pam_unix2-2.9.1/src/selinux_utils.c ?

Nicky726 commented on 2013-02-24 11:03 (UTC)

Hi, unfortunately the patch does not work: patching file src/read-files.c patching file src/public.h Hunk #1 succeeded at 97 with fuzz 2. patching file src/selinux_utils.c Reversed (or previously applied) patch detected! Skipping patch. 1 out of 1 hunk ignored -- saving rejects to file src/selinux_utils.c.rej

xangelux commented on 2013-02-24 09:39 (UTC)

I've created a patch for it to build normally (with pam_unix2) https://gist.github.com/xangelux/5023246

Nicky726 commented on 2013-02-10 16:14 (UTC)

Thank you! With this patch it builds and installs fine. Excespt for pam_unix2 which I skip, as discussed earlier. I have installed in my testing machine and it seams to work fine, though I do not yet have SELinux installed there.

Siosm commented on 2013-02-09 23:25 (UTC)

First sorry, I made this fix a while ago and it worked at that time (I'm guessing before the automake 1.13 release). This is a minor packaging bug which should be reported upstream (unfortunately I don't were upstream is for pam...). The patch is taken from the Fedora repo: http://pkgs.fedoraproject.org/cgit/pam.git/tree/pam-1.1.6-install-empty.patch If you use the Fedora patch, you have to run autoreconf, and version 1.13 is not happy with pam... I have created a new patch/hack and re-uploaded it here: https://git.siosm.fr/siosm-selinux/tree/selinux-pam?h=untested Still Untested. Should not break anything, but I can't promise. I have to build a new Arch SELinux test machine...

xangelux commented on 2013-02-09 19:29 (UTC)

I just sended a mail to the SELinux mailing list, I hope they respond soon.

Nicky726 commented on 2013-02-09 19:26 (UTC)

Hm, I already had the pam_namespace-build-1.1.6.patch, but the pam-1.1.6-install-empty.patch seems it could make it past make install. However, with autoreconf in the PKGBUILD it fails during autoreconf call as xangelux noted and without autoreconf in it the second patch seems not to be taken in acount, that is DESTDIR is for some files ignored and make install fails. I do not understand it on that level, so I am still stuck.

xangelux commented on 2013-02-09 17:46 (UTC)

@Siosm: it doesn't build, the clasic warning about configure.in should be .ac, the AC_LANG_CONFTEST instead of AC_LANG_SOURCE and one error: parallel-tests: error: required file 'build-aux/test-driver' not found

xangelux commented on 2013-02-09 17:32 (UTC)

Should I test it? I mean, will it break my system or just make it uncofortable if it doesn't work?

Siosm commented on 2013-02-09 13:26 (UTC)

@xangelux: You can try the PKGBUILD and the patches (some from Fedora) available here: https://git.siosm.fr/siosm-selinux/tree/selinux-pam?h=untested WARNING: I have NOT tested it yet!

xangelux commented on 2013-02-09 07:53 (UTC)

I've been looking for an answer, but no luck, any luck in your part?

Nicky726 commented on 2012-11-18 18:26 (UTC)

OK, so with version 1.1.6 I managed to get the pam build with a patch from Fedora, but the build of pam_unix2 fails. That seems to be SELinux specific, but Fedora does not use it, so I don't know where to look for patches. From what I read in the bugzilla thread, it could be omitted. In that case I just hit problem in make install of pam, when it tries to create a directory in /var/run. I'll try to figure out what options to send to make or make install so that it creates the directory in $pkgdir.

commented on 2012-11-12 22:13 (UTC)

The issue still not fix, i tried two patch.

Nicky726 commented on 2012-07-20 06:17 (UTC)

Hi, I reported a bug because of that: https://bugs.archlinux.org/task/30645 Please try it there, as it concerns the [core] version too and is not SELinux specific.

xangelux commented on 2012-07-19 23:02 (UTC)

I think I found a patch here, http://patches.openembedded.org/patch/31245/ but someone says there needs to be a sign of some sort, what do you think?

xangelux commented on 2012-07-19 22:51 (UTC)

I'm trying to build this, and fails on function ‘_unix_run_verify_binary’ in the pam_unix_acct.c file, it complains of not knowing the storage size of rlim, RLIMIT_NOFILE has not been declared

Nicky726 commented on 2012-07-11 17:57 (UTC)

Hello, I can reproduce this, although I did build the package successfully during weekend. I can also reproduce this on non-SELinux machine with pam from abs, so I'd say some upgrade at the end of the week broke the build. I mailed pam's maintainers so hopefully they'll find some fix.

commented on 2012-07-11 13:50 (UTC)

I can not build this package. First it gave error during compiling pam_unix_acct.c When i added #include<sys/resource.h> to the source in some files (modules/pam_unix/pam_unix_acct.c, modules/pam_unix/pam_unix_passwd.c) the first part was compiled successfully. Adding this include didn't helped by the second make. What could be the problem? http://pastebin.com/nhuf16nr

Nicky726 commented on 2012-07-10 07:16 (UTC)

This package now depends on pambase, which provides /etc/pam.d/system-login, which is where selinux specific changes previously in /etc/pam.d/login should go.

Nicky726 commented on 2012-05-06 20:05 (UTC)

Must have somehow slip out during the rebase, thanx for noticing!

Siosm commented on 2012-05-06 18:25 (UTC)

Is there a particular reason you didn't use 'groups=('selinux' 'selinux-system-utilities')' in thePKGBUILD ?

Siosm commented on 2012-05-06 16:05 (UTC)

This line was changed to 'make DESTDIR=$pkgdir install' in [core] so it's ok now.

Nicky726 commented on 2012-05-06 12:49 (UTC)

Rebased on latest [core] update, please check, wheather is your change still required, it built just fine for me.

Siosm commented on 2012-05-06 09:27 (UTC)

- make INSTALL=/bin/install DESTDIR=$pkgdir install + make INSTALL=install DESTDIR=$pkgdir install

commented on 2011-10-14 14:15 (UTC)

working mirror: http://ftp.task.gda.pl/vol/d0s0/ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-1.1.4.tar.bz2

commented on 2011-10-14 12:42 (UTC)

can't find Linux-PAM on kernel.org