From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:32:15 -0400
Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch

---
 SOURCES/sshd.pam | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam
index 0f5c061..72303eb 100644
--- a/SOURCES/sshd.pam
+++ b/SOURCES/sshd.pam
@@ -1,20 +1,24 @@
 #%PAM-1.0
-auth	   required	pam_sepermit.so
-auth       substack     password-auth
-auth       include      postlogin
-# Used with polkit to reauthorize users in remote sessions
--auth      optional     pam_reauthorize.so prepare
+
+auth       include      common-auth
 account    required     pam_nologin.so
-account    include      password-auth
-password   include      password-auth
-# pam_selinux.so close should be the first session rule
-session    required     pam_selinux.so close
-session    required     pam_loginuid.so
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
-session    required     pam_selinux.so open env_params
-session    required     pam_namespace.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session    [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+account    include      common-account
+password   include      common-password
 session    optional     pam_keyinit.so force revoke
-session    include      password-auth
-session    include      postlogin
-# Used with polkit to reauthorize users in remote sessions
--session   optional     pam_reauthorize.so prepare
+session    include      common-session
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-- 
1.9.1