Arch Linux

Renamed to pam-selinux

I can confirm, the updated release fixes the issue.

I upgraded the package, so that it is now based on version 1.1.6-3 currently in [core]. I can log in without problems now. It seems to me, that a rebuild was needed due to libtirpc upgrade.

This package and/or selinux-pam-base just prevented me from login to my system (gfx + tty).

journal with selinux-pam + selinux-pam-base
May 10 22:11:34 skorgonTP kdm[388]: :0[388]: PAM unable to dlopen(/usr/lib/security/pam_selinux.so): /usr/lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
May 10 22:11:34 skorgonTP kdm[388]: :0[388]: PAM adding faulty module: /usr/lib/security/pam_selinux.so
May 10 22:11:34 skorgonTP kdm[388]: :0[388]: pam_unix(kde:session): session opened for user skorgon by (uid=0)
May 10 22:11:34 skorgonTP systemd-logind[329]: New session 1 of user skorgon.
May 10 22:11:34 skorgonTP systemd-logind[329]: Linked /tmp/.X11-unix/X0 to /run/user/1000/X11-display.
May 10 22:11:34 skorgonTP kdm[388]: :0[388]: pam_open_session() for skorgon failed: Module is unknown
May 10 22:11:34 skorgonTP kdm[388]: :0[388]: Client start failed

May 10 20:42:45 skorgonTP login[340]: PAM unable to dlopen(/usr/lib/security/pam_unix.so): /usr/lib/security/pam_unix.so: undefined symbol: log_debug
May 10 20:42:45 skorgonTP login[340]: PAM adding faulty module: /usr/lib/security/pam_unix.so
May 10 20:42:45 skorgonTP login[340]: FAILED LOGIN SESSION FROM tty1 FOR root, Module is unknown

journal with stock pam + selinux-pam-base:
May 10 22:11:39 skorgonTP kdm[502]: :0[502]: PAM unable to dlopen(/usr/lib/security/pam_selinux.so): /usr/lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
May 10 22:11:39 skorgonTP kdm[502]: :0[502]: PAM adding faulty module: /usr/lib/security/pam_selinux.so
May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_unix(kde:session): session opened for user skorgon by (uid=0)
May 10 22:11:39 skorgonTP systemd-logind[329]: New session 2 of user skorgon.
May 10 22:11:39 skorgonTP systemd-logind[329]: Linked /tmp/.X11-unix/X0 to /run/user/1000/X11-display.
May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_open_session() for skorgon failed: Module is unknown
May 10 22:11:39 skorgonTP kdm[502]: :0[502]: Client start failed
May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_unix(kde:session): session closed for user skorgon
May 10 22:11:39 skorgonTP kdm[502]: :0[502]: pam_close_session() failed: Module is unknown
May 10 22:11:39 skorgonTP systemd-logind[329]: Removed session 2.
May 10 22:11:41 skorgonTP dhclient[493]: XMT: Solicit on wlp3s0, interval 8110ms.
May 10 22:11:41 skorgonTP dhclient[493]: RCV: Advertise message on wlp3s0 from fe80::1e14:48ff:fe5f:1a20.
May 10 22:11:41 skorgonTP dhclient[493]: message status code NoAddrsAvail: "No addresses available for this interface."
May 10 22:11:44 skorgonTP login[336]: PAM unable to dlopen(/usr/lib/security/pam_selinux.so): /usr/lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
May 10 22:11:44 skorgonTP login[336]: PAM adding faulty module: /usr/lib/security/pam_selinux.so
May 10 22:11:47 skorgonTP login[336]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
May 10 22:11:47 skorgonTP systemd-logind[329]: New session 3 of user root.
May 10 22:11:47 skorgonTP login[336]: Module is unknown

it seems that the file contains that functions and it complains about re-defining a functions as well as getting the function parameters wrong, so I assume the function was added to the selinux packages with the correct parameters so I deleted the function and it builded properly. As I read pam_unix2 is in charge of checking the password in shadow and passwd so if it doesn't work anybody could notice in a sudo, su or even a login (I assume). Not sure if I'm correct but so far I'm ussing that hack and nothing has gone wrong. I'm considering reporting it as a bug to arch devs.

Unfortunately, I had no luck applying this patch either, but I have recreated it and this time the aplication and build succeeded. Not sure what does the removal of the function do to the functionality of pam_unix2 though.
Updated version uploaded, I have not changed pkgrel to correspond to the version in [core].

I edited the patch to work with your files
http://pastebin.com/0HMgS05n

nevermind, I used a proxy :)

it seems that pastebin is blocked on my country (I don't know why) can you post it somewhere else? (i.e. pastie or gist on github)

This is it: http://pastebin.com/PS8de8qP

It worked for me, can you post your pam_unix2-2.9.1/src/selinux_utils.c ?

Hi, unfortunately the patch does not work:
patching file src/read-files.c
patching file src/public.h
Hunk #1 succeeded at 97 with fuzz 2.
patching file src/selinux_utils.c
Reversed (or previously applied) patch detected! Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file src/selinux_utils.c.rej

I've created a patch for it to build normally (with pam_unix2) https://gist.github.com/xangelux/5023246

Thank you! With this patch it builds and installs fine. Excespt for pam_unix2 which I skip, as discussed earlier. I have installed in my testing machine and it seams to work fine, though I do not yet have SELinux installed there.

First sorry, I made this fix a while ago and it worked at that time (I'm guessing before the automake 1.13 release).

This is a minor packaging bug which should be reported upstream (unfortunately I don't were upstream is for pam...). The patch is taken from the Fedora repo: http://pkgs.fedoraproject.org/cgit/pam.git/tree/pam-1.1.6-install-empty.patch

If you use the Fedora patch, you have to run autoreconf, and version 1.13 is not happy with pam... I have created a new patch/hack and re-uploaded it here: https://git.siosm.fr/siosm-selinux/tree/selinux-pam?h=untested

Still Untested. Should not break anything, but I can't promise. I have to build a new Arch SELinux test machine...

I just sended a mail to the SELinux mailing list, I hope they respond soon.

Hm, I already had the pam_namespace-build-1.1.6.patch, but the pam-1.1.6-install-empty.patch seems it could make it past make install. However, with autoreconf in the PKGBUILD it fails during autoreconf call as xangelux noted and without autoreconf in it the second patch seems not to be taken in acount, that is DESTDIR is for some files ignored and make install fails. I do not understand it on that level, so I am still stuck.

@Siosm: it doesn't build, the clasic warning about configure.in should be .ac, the AC_LANG_CONFTEST instead of AC_LANG_SOURCE and one error:

parallel-tests: error: required file 'build-aux/test-driver' not found

Should I test it? I mean, will it break my system or just make it uncofortable if it doesn't work?

@xangelux: You can try the PKGBUILD and the patches (some from Fedora) available here: https://git.siosm.fr/siosm-selinux/tree/selinux-pam?h=untested

WARNING: I have NOT tested it yet!

I've been looking for an answer, but no luck, any luck in your part?

OK, so with version 1.1.6 I managed to get the pam build with a patch from Fedora, but the build of pam_unix2 fails. That seems to be SELinux specific, but Fedora does not use it, so I don't know where to look for patches. From what I read in the bugzilla thread, it could be omitted. In that case I just hit problem in make install of pam, when it tries to create a directory in /var/run. I'll try to figure out what options to send to make or make install so that it creates the directory in $pkgdir.

The issue still not fix, i tried two patch.

Hi, I reported a bug because of that: https://bugs.archlinux.org/task/30645 Please try it there, as it concerns the [core] version too and is not SELinux specific.

I think I found a patch here, http://patches.openembedded.org/patch/31245/ but someone says there needs to be a sign of some sort, what do you think?

I'm trying to build this, and fails on function ‘_unix_run_verify_binary’ in the pam_unix_acct.c file, it complains of not knowing the storage size of rlim, RLIMIT_NOFILE has not been declared

Hello, I can reproduce this, although I did build the package successfully during weekend. I can also reproduce this on non-SELinux machine with pam from abs, so I'd say some upgrade at the end of the week broke the build. I mailed pam's maintainers so hopefully they'll find some fix.

I can not build this package.
First it gave error during compiling pam_unix_acct.c
When i added #include<sys/resource.h> to the source in some files (modules/pam_unix/pam_unix_acct.c, modules/pam_unix/pam_unix_passwd.c) the first part was compiled successfully.
Adding this include didn't helped by the second make.
What could be the problem?
http://pastebin.com/nhuf16nr

This package now depends on pambase, which provides /etc/pam.d/system-login, which is where selinux specific changes previously in /etc/pam.d/login should go.

Must have somehow slip out during the rebase, thanx for noticing!

Is there a particular reason you didn't use 'groups=('selinux' 'selinux-system-utilities')' in thePKGBUILD ?

This line was changed to 'make DESTDIR=$pkgdir install' in [core] so it's ok now.

Rebased on latest [core] update, please check, wheather is your change still required, it built just fine for me.

- make INSTALL=/bin/install DESTDIR=$pkgdir install
+ make INSTALL=install DESTDIR=$pkgdir install

working mirror: http://ftp.task.gda.pl/vol/d0s0/ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-1.1.4.tar.bz2