When SELinux support is enabled, the login pam file installed by
linux-pam should be adjusted to use the pam_selinux.so module.
To achieve this in a reasonably simple manner, we introduce the SELinux
related lines in login.pam as comments, and if SELinux support is
enabled, turn those commented lines into real lines.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
LINUX_PAM_CONF_OPTS += --enable-selinux
LINUX_PAM_DEPENDENCIES += libselinux
+define LINUX_PAM_SELINUX_PAMFILE_TWEAK
+ $(SED) 's/^# \(.*pam_selinux.so.*\)$$/\1/' \
+ $(TARGET_DIR)/etc/pam.d/login
+endef
else
LINUX_PAM_CONF_OPTS += --disable-selinux
endif
$(TARGET_DIR)/etc/pam.d/login
$(INSTALL) -m 0644 -D package/linux-pam/other.pam \
$(TARGET_DIR)/etc/pam.d/other
+ $(LINUX_PAM_SELINUX_PAMFILE_TWEAK)
endef
LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
password required pam_unix.so nullok
+# session required pam_selinux.so close
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_lastlog.so
+# session required pam_selinux.so open
projects / buildroot.git / commitdiff