[neon/kde/kscreenlocker/Neon/unstable] debian: add pam files

Carlos De Maine null at kde.org
Sat Nov 4 05:20:56 GMT 2023 

Git commit e374eaf306a83401d462b22342be488ebdd3df93 by Carlos De Maine.
Committed on 04/11/2023 at 06:20.
Pushed by carlosdem into branch 'Neon/unstable'.

add pam files

A  +25   -0    debian/kscreenlocker.kde-fingerprint.pam
A  +25   -0    debian/kscreenlocker.kde-smartcard.pam
A  +27   -0    debian/kscreenlocker.kde.pam
M  +4    -2    debian/rules

https://invent.kde.org/neon/kde/kscreenlocker/-/commit/e374eaf306a83401d462b22342be488ebdd3df93

diff --git a/debian/kscreenlocker.kde-fingerprint.pam b/debian/kscreenlocker.kde-fingerprint.pam
new file mode 100644
index 0000000..07e73c5
--- /dev/null
+++ b/debian/kscreenlocker.kde-fingerprint.pam
@@ -0,0 +1,25 @@
+#%PAM-1.0
+auth    requisite       pam_nologin.so
+auth	required	pam_succeed_if.so user != root quiet_success
+auth	required	pam_fprintd.so
+auth   optional        pam_kwallet5.so
+ at include common-account
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] 		pam_selinux.so close
+session required        pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] 		pam_selinux.so open
+session optional        pam_keyinit.so force revoke
+session required        pam_limits.so
+session required        pam_env.so readenv=1
+session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+ at include common-session
+session optional        pam_kwallet5.so auto_start
+password required       pam_fprintd.so
diff --git a/debian/kscreenlocker.kde-smartcard.pam b/debian/kscreenlocker.kde-smartcard.pam
new file mode 100644
index 0000000..01332f6
--- /dev/null
+++ b/debian/kscreenlocker.kde-smartcard.pam
@@ -0,0 +1,25 @@
+#%PAM-1.0
+auth    [success=ok user_unknown=ignore default=bad] pam_succeed_if.so user != root quiet_success
+auth    required        pam_sss.so allow_missing_name require_cert_auth
+auth    requisite       pam_nologin.so
+auth    optional        pam_kwallet5.so
+
+ at include common-account
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session required        pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+session optional        pam_keyinit.so force revoke
+session required        pam_limits.so
+session required        pam_env.so readenv=1
+session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+ at include common-session
+session optional        pam_kwallet5.so auto_start
diff --git a/debian/kscreenlocker.kde.pam b/debian/kscreenlocker.kde.pam
new file mode 100644
index 0000000..4ac40ed
--- /dev/null
+++ b/debian/kscreenlocker.kde.pam
@@ -0,0 +1,27 @@
+#%PAM-1.0
+auth    requisite       pam_nologin.so
+auth    required        pam_succeed_if.so user != root quiet_success
+ at include common-auth
+auth   optional        pam_kwallet5.so
+ at include common-account
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session required        pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] 		pam_selinux.so open
+session optional        pam_keyinit.so force revoke
+session required        pam_limits.so
+session required        pam_env.so readenv=1
+session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+ at include common-session
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+ at include common-password
diff --git a/debian/rules b/debian/rules
index 47c772a..1d62f8d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,5 +5,7 @@
 %:
 	dh $@ --with kf6 --buildsystem kf6
 
-override_dh_shlibdeps:
-	dh_shlibdeps -l$(CURDIR)/debian/$(shell dh_listpackages | head -n1)/usr/kf6/lib/$(DEB_HOST_MULTIARCH)/
+override_dh_installpam:
+	dh_installpam --name=kde
+	dh_installpam --name=kde-fingerprint
+	dh_installpam --name=kde-smartcard
\ No newline at end of file

More information about the Neon-commits mailing list