Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam-selinux 1.4.0-3 update #46

Closed
wants to merge 4 commits into from
Closed

pam-selinux 1.4.0-3 update #46

wants to merge 4 commits into from

Conversation

fishilico
Copy link
Member

Hi,
Here is an upgrade for package pam-selinux, that I am testing. As a maintainer, I do not want to push the upgrade pam-selinux to version 1.4.0 before the official pam package gets upgraded, as it caused multiple issues during Arch Linux's testing (cf. https://bugs.archlinux.org/task/67347, https://bugs.archlinux.org/task/67519 and https://bugs.archlinux.org/task/67369, as well as the 3 patches that have been backported).

I also added --enable-tally2 to work around issue #41. By the way, I mainly open this PR in order to enable users to "just cherry-pick a commit or checkout a git branch" in order to build packages, considering the incompatibility between libselinux 3.1 and pam 1.3 (cf. #37).

Feel free to test this package and report issues and suggest improvements in this Pull Request.

@shammancer
Copy link
Contributor

Figured, I'd let you know that this branch works, with the bulk update. And as expected I was able to log in without migrating off pam tally.

@tqre
Copy link
Contributor

tqre commented Aug 16, 2020

Thanks for this.
Also tested build on this branch, and it works with no imminent issues.

@tqre
Copy link
Contributor

tqre commented Aug 19, 2020
edited

It looks like 1.4.0-3 made it to core repositories, so I think this branch is good to go.
https://github.com/archlinux/svntogit-packages/tree/packages/pam/trunk

EDIT: pambase needs an update naturally

@fishilico
pam-selinux 1.4.0-3 update
18017fa
@fishilico
pam-selinux: remove dependency on pambase-selinux
ecbda8d 
pambase-selinux adds rules that use pam_selinux.so, which is provided by
package pam-selinux. So, to be able install pam-selinux before
pambase-selinux, pambase-selinux should depend on pam-selinux and
not the other way round.
@fishilico
pambase-selinux 20200721.1-2 update
d7590b5
@fishilico
build*: inverse the order between pam-selinux and pambase-selinux
3d6e294
@fishilico
Copy link
Member Author

Before upgrading, I wanted to solve a potential issue for users upgrading that install pambase-selinux 20200721.1-2 before pam-selinux 1.4.0-3, which breaks the system (and makes sudo and su no longer works).

By adding --enable-tally2 in pam-selinux like I did in this Pull Request, pam-selinux can safely be upgraded before pambase-selinux. So a possible way to fix this consists in making pambase-selinux depends on pam-selinux>=1.4.0 (in order to have module pam_faillock.so). This is the contrary of the current dependency link (pam depends on pambase).

In fact, this inversion of dependency link makes sense in itself, because pambase-selinux provides configuration files with pam_selinux.so, which is only provided in pam-selinux package. So it makes completely sense to ensure that pam-selinux is installed before pambase-selinux.

I added commits to this Pull Request to do this. If nobody find issues with this approach, I will update the packages in a few days.

@tqre tqre mentioned this pull request Aug 22, 2020
Closed
@tqre
Copy link
Contributor

tqre commented Aug 22, 2020

I built & installed with this branch along with the recent pull requests I made.
#48
#50
#51

No errors to report. Also updating a running bare-metal system did fine.

@fishilico
Copy link
Member Author

Merged: https://github.com/archlinuxhardened/selinux/commits/8895e1a40a777f4aa5b5cee96a7bc101bdcb127b

@fishilico fishilico closed this Aug 23, 2020
@fishilico fishilico deleted the pam-selinux-1.4.0 branch August 23, 2020 19:16
@tqre tqre mentioned this pull request Oct 16, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fishilico @shammancer @tqre