shammancer
commented
4 years ago Figured, I'd let you know that this branch works, with the bulk update. And as expected I was able to log in without migrating off pam tally.
Closed fishilico closed 4 years ago
shammancer
commented
4 years ago Figured, I'd let you know that this branch works, with the bulk update. And as expected I was able to log in without migrating off pam tally.
tqre
commented
4 years ago Thanks for this. Also tested build on this branch, and it works with no imminent issues.
tqre
commented
4 years ago It looks like 1.4.0-3 made it to core repositories, so I think this branch is good to go. https://github.com/archlinux/svntogit-packages/tree/packages/pam/trunk
EDIT: pambase needs an update naturally
fishilico
commented
4 years ago Before upgrading, I wanted to solve a potential issue for users upgrading that install pambase-selinux 20200721.1-2 before pam-selinux 1.4.0-3, which breaks the system (and makes sudo and su no longer works).
By adding --enable-tally2 in pam-selinux like I did in this Pull Request, pam-selinux can safely be upgraded before pambase-selinux. So a possible way to fix this consists in making pambase-selinux depends on pam-selinux>=1.4.0 (in order to have module pam_faillock.so). This is the contrary of the current dependency link (pam depends on pambase).
In fact, this inversion of dependency link makes sense in itself, because pambase-selinux provides configuration files with pam_selinux.so, which is only provided in pam-selinux package. So it makes completely sense to ensure that pam-selinux is installed before pambase-selinux.
I added commits to this Pull Request to do this. If nobody find issues with this approach, I will update the packages in a few days.
tqre
commented
4 years ago I built & installed with this branch along with the recent pull requests I made. https://github.com/archlinuxhardened/selinux/pull/48 https://github.com/archlinuxhardened/selinux/pull/50 https://github.com/archlinuxhardened/selinux/pull/51
No errors to report. Also updating a running bare-metal system did fine.
fishilico
commented
4 years ago
Hi, Here is an upgrade for package
pam-selinux, that I am testing. As a maintainer, I do not want to push the upgradepam-selinuxto version 1.4.0 before the officialpampackage gets upgraded, as it caused multiple issues during Arch Linux's testing (cf. https://bugs.archlinux.org/task/67347, https://bugs.archlinux.org/task/67519 and https://bugs.archlinux.org/task/67369, as well as the 3 patches that have been backported).I also added
--enable-tally2to work around issue https://github.com/archlinuxhardened/selinux/issues/41. By the way, I mainly open this PR in order to enable users to "just cherry-pick a commit or checkout a git branch" in order to build packages, considering the incompatibility betweenlibselinux3.1 andpam1.3 (cf. https://github.com/archlinuxhardened/selinux/issues/37).Feel free to test this package and report issues and suggest improvements in this Pull Request.