On Mon, 2005-02-21 at 13:58 -0600, Klaus Weidner wrote:
Your code already works for me with sshd if you put pam_audit.so into
the
"session" stack:
Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from
::ffff:172.16.204.1 port 59550 ssh2
Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old
loginuid=4294967295 new loginuid=500
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24
loginuid=500 msg='login user=kw uid=500'
Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
[kw@rhel4 ~]$ cat /proc/self/loginuid
500
Yes, Steve was likely assuming that it wouldn't work because we couldn't
use pam_selinux with sshd. But that is due to the fact that we also
need to relabel the pty in pam_selinux, which is not an issue for
pam_audit.
session required pam_stack.so service=system-auth
session required pam_audit.so
Hmm...for pam_selinux, we have to bracket the pam stack with pam_selinux
close and pam_selinux open to ensure that the SELinux exec security
context is not set until _after_ all other pam modules (and their
helpers) have executed on session open and is closed _before_ all other
pam modules (and their helpers) execute on session close. Is that a
concern for the loginuid?
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency