%define pam_redhat_version 0.99.11

Summary: An extensible library which provides authentication for applications

Name: pam

Version: 1.3.1

Release: 14%{?dist}

# The library is BSD licensed with option to relicense as GPLv2+

# - this option is redundant as the BSD license allows that anyway.

# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.

License: BSD and GPLv2+

Group: System Environment/Base

Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz

Source1: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz.asc

Source2: https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2

Source5: other.pamd

Source6: system-auth.pamd

Source7: password-auth.pamd

Source8: fingerprint-auth.pamd

Source9: smartcard-auth.pamd

Source10: config-util.pamd

Source11: dlopen.sh

Source12: system-auth.5

Source13: config-util.5

Source15: pamtmp.conf

Source16: postlogin.pamd

Source17: postlogin.5

Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

Patch1:  pam-1.2.0-redhat-modules.patch

Patch4:  pam-1.1.0-console-nochmod.patch

Patch5:  pam-1.1.0-notally.patch

Patch7:  pam-1.2.1-faillock.patch

Patch8:  pam-1.2.1-faillock-admin-group.patch

Patch9:  pam-1.3.1-noflex.patch

Patch10: pam-1.1.3-nouserenv.patch

Patch13: pam-1.1.6-limits-user.patch

Patch15: pam-1.1.8-full-relro.patch

# FIPS related - non upstreamable

Patch20: pam-1.2.0-unix-no-fallback.patch

Patch28: pam-1.1.1-console-errmsg.patch

# Upstreamed partially

Patch29: pam-1.3.0-pwhistory-helper.patch

Patch31: pam-1.1.8-audit-user-mgmt.patch

Patch32: pam-1.2.1-console-devname.patch

Patch33: pam-1.3.0-unix-nomsg.patch

Patch34: pam-1.3.1-coverity.patch

Patch35: pam-1.3.1-console-build.patch

Patch36: pam-1.3.1-faillock-update.patch

Patch37: pam-1.3.1-namespace-mntopts.patch

Patch38: pam-1.3.1-lastlog-no-showfailed.patch

Patch39: pam-1.3.1-lastlog-unlimited-fsize.patch

Patch40: pam-1.3.1-unix-improve-logging.patch

Patch41: pam-1.3.1-tty-audit-manfix.patch

Patch42: pam-1.3.1-fds-closing.patch

Patch43: pam-1.3.1-authtok-verify-fix.patch

Patch44: pam-1.3.1-motd-manpage.patch

# Upstreamed

Patch45: pam-1.3.1-pam-usertype.patch

# Upstreamed

Patch46: pam-1.3.1-audit-error.patch

# Upstreamed

Patch47: pam-1.3.1-pam-modutil-close-write.patch

# https://github.com/linux-pam/linux-pam/commit/6bf9b454eb971083f0cce49faa2aa1cde329ff5d

# https://github.com/linux-pam/linux-pam/commit/9091ea1d81e85f49a221b0325d27b22ce69e444a

# https://github.com/linux-pam/linux-pam/commit/a3a5cbf86083c43026b558e2023f597530626267

Patch48: pam-1.3.1-wheel-pam_ruser-fallback.patch

# https://github.com/linux-pam/linux-pam/commit/491e5500b6b3913f531574208274358a2df88659

Patch49: pam-1.3.1-namespace-gdm-doc.patch

%define _pamlibdir %{_libdir}

%define _moduledir %{_libdir}/security

%define _secconfdir %{_sysconfdir}/security

%define _pamconfdir %{_sysconfdir}/pam.d

%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1}

%define WITH_SELINUX 1

%endif

%if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1}

%define WITH_AUDIT 1

%endif

%global _performance_build 1

Recommends: cracklib-dicts >= 2.8

Requires: libpwquality >= 0.9.9

Requires(post): coreutils, /sbin/ldconfig

BuildRequires: autoconf >= 2.60

BuildRequires: automake, libtool

BuildRequires: bison, flex, sed

BuildRequires: cracklib-devel

BuildRequires: perl-interpreter, pkgconfig, gettext-devel

BuildRequires: libtirpc-devel, libnsl2-devel

%if %{WITH_AUDIT}

BuildRequires: audit-libs-devel >= 1.0.8

Requires: audit-libs >= 1.0.8

%endif

%if %{WITH_SELINUX}

BuildRequires: libselinux-devel >= 1.33.2

Requires: libselinux >= 1.33.2

%endif

Requires: glibc >= 2.3.90-37

BuildRequires: libdb-devel

# Following deps are necessary only to build the pam library documentation.

BuildRequires: linuxdoc-tools, elinks, libxslt

BuildRequires: docbook-style-xsl, docbook-dtds

URL: http://www.linux-pam.org/

%description

PAM (Pluggable Authentication Modules) is a system security tool that

allows system administrators to set authentication policy without

having to recompile programs that handle authentication.

%package devel

Group: Development/Libraries

Summary: Files needed for developing PAM-aware applications and modules for PAM

Requires: pam%{?_isa} = %{version}-%{release}

%description devel

PAM (Pluggable Authentication Modules) is a system security tool that

allows system administrators to set authentication policy without

having to recompile programs that handle authentication. This package

contains header files used for building both PAM-aware applications

and modules for use with the PAM system.

%prep

%setup -q -n Linux-PAM-%{version} -a 2

perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" build-aux/config.sub

perl -pi -e "s/\/lib \/usr\/lib/\/lib \/usr\/lib \/lib64 \/usr\/lib64/" m4/libtool.m4

# Add custom modules.

mv pam-redhat-%{pam_redhat_version}/* modules

cp %{SOURCE18} .

%patch1 -p1 -b .redhat-modules

%patch4 -p1 -b .nochmod

%patch5 -p1 -b .notally

%patch7 -p1 -b .faillock

%patch8 -p1 -b .admin-group

%patch9 -p1 -b .noflex

%patch10 -p1 -b .nouserenv

%patch13 -p1 -b .limits

%patch15 -p1 -b .relro

%patch20 -p1 -b .no-fallback

%patch28 -p1 -b .errmsg

%patch29 -p1 -b .pwhhelper

%patch31 -p1 -b .audit-user-mgmt

%patch32 -p1 -b .devname

%patch33 -p1 -b .nomsg

%patch34 -p1 -b .coverity

%patch35 -p1 -b .console-build

%patch36 -p1 -b .faillock-update

%patch37 -p1 -b .mntopts

%patch38 -p1 -b .no-showfailed

%patch39 -p1 -b .unlimited-fsize

%patch40 -p1 -b .improve-logging

%patch41 -p1 -b .tty-audit-manfix

%patch42 -p1 -b .fds-closing

%patch43 -p1 -b .authtok-verify-fix

%patch44 -p1 -b .motd-manpage

%patch45 -p1 -b .pam-usertype

%patch46 -p1 -b .audit-error

%patch47 -p1 -b .pam-modutil-close-write

%patch48 -p1 -b .wheel-pam_ruser-fallback

%patch49 -p1 -b .namespace-gdm-doc

autoreconf -i

%build

%configure \

	--disable-rpath \

	--libdir=%{_pamlibdir} \

	--includedir=%{_includedir}/security \

%if ! %{WITH_SELINUX}

	--disable-selinux \

%endif

%if ! %{WITH_AUDIT}

	--disable-audit \

%endif

	--disable-static \

	--disable-prelude

make -C po update-gmo

make

# we do not use _smp_mflags because the build of sources in yacc/flex fails

%install

mkdir -p doc/txts

for readme in modules/pam_*/README ; do

	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`

done

rm -rf doc/txts/README.pam_tally*

rm -rf doc/sag/html/*pam_tally*

# Install the binaries, libraries, and modules.

make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:

%if %{WITH_SELINUX}

# Temporary compat link

ln -sf pam_sepermit.so $RPM_BUILD_ROOT%{_moduledir}/pam_selinux_permit.so

%endif

# RPM uses docs from source tree

rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/Linux-PAM

# Included in setup package

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment

# Install default configuration files.

install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir}

install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other

install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth

install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth

install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth

install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth

install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util

install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin

install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd

install -d -m 755 $RPM_BUILD_ROOT/var/log

install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock

# Install man pages.

install -m 644 %{SOURCE12} %{SOURCE13} %{SOURCE17} $RPM_BUILD_ROOT%{_mandir}/man5/

ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/password-auth.5

ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/fingerprint-auth.5

ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/smartcard-auth.5

for phase in auth acct passwd session ; do

	ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so 

done

# Remove .la files and make new .so links -- this depends on the value

# of _libdir not changing, and *not* being /usr/lib.

for lib in libpam libpamc libpam_misc ; do

rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la

done

rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la

%if "%{_pamlibdir}" != "%{_libdir}"

install -d -m 755 $RPM_BUILD_ROOT%{_libdir}

for lib in libpam libpamc libpam_misc ; do

pushd $RPM_BUILD_ROOT%{_libdir}

ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so

popd

rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so

done

%endif

# Duplicate doc file sets.

rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam

# Install the file for autocreation of /var/run subdirectories on boot

install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf

%find_lang Linux-PAM

%check

# Make sure every module subdirectory gave us a module.  Yes, this is hackish.

for dir in modules/pam_* ; do

if [ -d ${dir} ] ; then

%if ! %{WITH_SELINUX}

	[ ${dir} = "modules/pam_selinux" ] && continue

	[ ${dir} = "modules/pam_sepermit" ] && continue

%endif

%if ! %{WITH_AUDIT}

	[ ${dir} = "modules/pam_tty_audit" ] && continue

%endif

	[ ${dir} = "modules/pam_tally" ] && continue

	[ ${dir} = "modules/pam_tally2" ] && continue

	if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then

		echo ERROR `basename ${dir}` did not build a module.

		exit 1

	fi

fi

done

# Check for module problems.  Specifically, check that every module we just

# installed can actually be loaded by a minimal PAM-aware application.

/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir}

for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do

	if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \

		 %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then

		echo ERROR module: ${module} cannot be loaded.

		exit 1

	fi

done

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%files -f Linux-PAM.lang

%dir %{_pamconfdir}

%config(noreplace) %{_pamconfdir}/other

%config(noreplace) %{_pamconfdir}/system-auth

%config(noreplace) %{_pamconfdir}/password-auth

%config(noreplace) %{_pamconfdir}/fingerprint-auth

%config(noreplace) %{_pamconfdir}/smartcard-auth

%config(noreplace) %{_pamconfdir}/config-util

%config(noreplace) %{_pamconfdir}/postlogin

%{!?_licensedir:%global license %%doc}

%license Copyright

%license gpl-2.0.txt

%doc doc/txts

%doc doc/sag/*.txt doc/sag/html

%{_pamlibdir}/libpam.so.*

%{_pamlibdir}/libpamc.so.*

%{_pamlibdir}/libpam_misc.so.*

%{_sbindir}/pam_console_apply

%{_sbindir}/faillock

%attr(4755,root,root) %{_sbindir}/pam_timestamp_check

%attr(4755,root,root) %{_sbindir}/unix_chkpwd

%attr(0700,root,root) %{_sbindir}/unix_update

%attr(0755,root,root) %{_sbindir}/mkhomedir_helper

%attr(0755,root,root) %{_sbindir}/pwhistory_helper

%dir %{_moduledir}

%{_moduledir}/pam_access.so

%{_moduledir}/pam_chroot.so

%{_moduledir}/pam_console.so

%{_moduledir}/pam_cracklib.so

%{_moduledir}/pam_debug.so

%{_moduledir}/pam_deny.so

%{_moduledir}/pam_echo.so

%{_moduledir}/pam_env.so

%{_moduledir}/pam_exec.so

%{_moduledir}/pam_faildelay.so

%{_moduledir}/pam_faillock.so

%{_moduledir}/pam_filter.so

%{_moduledir}/pam_ftp.so

%{_moduledir}/pam_group.so

%{_moduledir}/pam_issue.so

%{_moduledir}/pam_keyinit.so

%{_moduledir}/pam_lastlog.so

%{_moduledir}/pam_limits.so

%{_moduledir}/pam_listfile.so

%{_moduledir}/pam_localuser.so

%{_moduledir}/pam_loginuid.so

%{_moduledir}/pam_mail.so

%{_moduledir}/pam_mkhomedir.so

%{_moduledir}/pam_motd.so

%{_moduledir}/pam_namespace.so

%{_moduledir}/pam_nologin.so

%{_moduledir}/pam_permit.so

%{_moduledir}/pam_postgresok.so

%{_moduledir}/pam_pwhistory.so

%{_moduledir}/pam_rhosts.so

%{_moduledir}/pam_rootok.so

%if %{WITH_SELINUX}

%{_moduledir}/pam_selinux.so

%{_moduledir}/pam_selinux_permit.so

%{_moduledir}/pam_sepermit.so

%endif

%{_moduledir}/pam_securetty.so

%{_moduledir}/pam_shells.so

%{_moduledir}/pam_stress.so

%{_moduledir}/pam_succeed_if.so

%{_moduledir}/pam_time.so

%{_moduledir}/pam_timestamp.so

%if %{WITH_AUDIT}

%{_moduledir}/pam_tty_audit.so

%endif

%{_moduledir}/pam_umask.so

%{_moduledir}/pam_unix.so

%{_moduledir}/pam_unix_acct.so

%{_moduledir}/pam_unix_auth.so

%{_moduledir}/pam_unix_passwd.so

%{_moduledir}/pam_unix_session.so

%{_moduledir}/pam_userdb.so

%{_moduledir}/pam_usertype.so

%{_moduledir}/pam_warn.so

%{_moduledir}/pam_wheel.so

%{_moduledir}/pam_xauth.so

%{_moduledir}/pam_filter

%dir %{_secconfdir}

%config(noreplace) %{_secconfdir}/access.conf

%config(noreplace) %{_secconfdir}/chroot.conf

%config %{_secconfdir}/console.perms

%config(noreplace) %{_secconfdir}/console.handlers

%config(noreplace) %{_secconfdir}/faillock.conf

%config(noreplace) %{_secconfdir}/group.conf

%config(noreplace) %{_secconfdir}/limits.conf

%dir %{_secconfdir}/limits.d

%config(noreplace) %{_secconfdir}/namespace.conf

%dir %{_secconfdir}/namespace.d

%attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init

%config(noreplace) %{_secconfdir}/pam_env.conf

%config(noreplace) %{_secconfdir}/time.conf

%config(noreplace) %{_secconfdir}/opasswd

%dir %{_secconfdir}/console.apps

%dir %{_secconfdir}/console.perms.d

%dir /var/run/console

%if %{WITH_SELINUX}

%config(noreplace) %{_secconfdir}/sepermit.conf

%dir /var/run/sepermit

%endif

%dir /var/run/faillock

%{_prefix}/lib/tmpfiles.d/pam.conf

%{_mandir}/man5/*

%{_mandir}/man8/*

%files devel

%{_includedir}/security

%{_mandir}/man3/*

%{_libdir}/libpam.so

%{_libdir}/libpamc.so

%{_libdir}/libpam_misc.so

%doc doc/mwg/*.txt doc/mwg/html

%doc doc/adg/*.txt doc/adg/html

%doc doc/specs/rfc86.0.txt

%changelog

* Thu Nov  5 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-14

- Revert 1.3.1-12

* Fri Oct 30 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-13

- pam_wheel: if getlogin fails fallback to PAM_RUSER: fixed malformed patch (#1866866)

- pam_namespace: polyinstantiation refer to gdm doc (#1861841)

* Thu Jul 16 2020 Peter Robinson <pbrobinson@redhat.com> - 1.3.1-12

- Add the motd.d directories (empty) to silence warnings and to

  provide proper ownership for them (#1847501)

* Fri May 15 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-11

- pam_usertype: fixed malformed patch

* Tue Apr 21 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-10

- pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD (#1791970)

* Fri Apr 17 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-9

- pam_usertype: new module to tell if uid is in login.defs ranges (#1810474)

- pam_tty_audit: if kernel audit is disabled return PAM_IGNORE (#1775357)

* Thu Dec 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-8

- pam_motd: Document how to properly silence unwanted motd messages

* Mon Dec 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-6

- pam_faillock: Fix regression in admin_group support

* Wed Oct 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-5

- pam_faillock: Support configuration file /etc/security/faillock.conf

- pam_faillock: Support local_users_only option

- pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts

- Drop tallylog and pam_tally[2] documentation

- pam_lastlog: Do not display failed attempts with PAM_SILENT flag

- pam_lastlog: Support unlimited option to override fsize limit

- pam_unix: Log if user authenticated without password

- pam_tty_audit: Improve manual page

- Optimize closing fds when spawning helpers

- Fix duplicate password verification in pam_authtok_verify()

* Fri Dec  7 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-4

- Drop pam_tally2 which was obsoleted and deprecated long time ago

* Mon Sep 10 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-3

- add pam_umask to postlogin PAM configuration file

- fix some issues found by Coverity scan

* Fri Jun  8 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-1

- use /run instead of /var/run in pamtmp.conf (#1588612)

* Fri May 18 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-1

- new upstream release 1.3.1 with multiple improvements

* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-10

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Tue Jan 30 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.0-9

- and the NIS support now also requires libnsl2

* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.0-8

- Rebuilt for switch to libxcrypt

* Thu Jan 11 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.0-7

- the NIS support now requires libtirpc

* Mon Aug 21 2017 Tomáš Mráz <tmraz@redhat.com> 1.3.0-6

- add admin_group option to pam_faillock (#1285550)

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Thu Apr 20 2017 Tomáš Mráz <tmraz@redhat.com> 1.3.0-3

- drop superfluous 'Changing password' message from pam_unix (#658289)

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Fri May  6 2016 Tomáš Mráz <tmraz@redhat.com> 1.3.0-1

- new upstream release with multiple improvements

* Mon Apr 11 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-8

- make cracklib-dicts dependency weak (#1323172)

* Wed Apr  6 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-7

- do not drop PAM_OLDAUTHTOK if mismatched - can be used by further modules

* Mon Apr  4 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-6

- pam_unix: use pam_get_authtok() and improve prompting

* Fri Feb  5 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-5

- fix console device name in console.handlers (#1270224)

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Fri Oct 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.1-3

- pam_faillock: add possibility to set unlock_time to never

* Wed Aug 12 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.1-2

- drop the nproc limit setting, it is causing more harm than it solves

* Fri Jun 26 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.1-1

- new upstream release fixing security issue with unlimited password length

* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Fri May 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.0-1

- new upstream release with multiple minor improvements

* Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-18

- use USER_MGMT type for auditing in the pam_tally2 and faillock

  apps (#1151576)

* Thu Sep 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-17

- update the audit-grantor patch with the upstream changes

- pam_userdb: correct the example in man page (#1078784)

- pam_limits: check whether the utmp login entry is valid (#1080023)

- pam_console_apply: do not print error if console.perms.d is empty

- pam_limits: nofile refers to open file descriptors (#1111220)

- apply PIE and full RELRO to all binaries built

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.8-16

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Wed Aug 13 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-15

- audit the module names that granted access

- pam_faillock: update to latest version

* Wed Jul 30 2014 Tom Callaway <spot@fedoraproject.org> - 1.1.8-14

- fix license handling

* Wed Jul 16 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-13

- be tolerant to corrupted opasswd file

* Fri Jun 06 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.8-12

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Thu May 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-11

- pam_loginuid: make it return PAM_IGNORE in containers

* Mon Mar 31 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-10

- fix CVE-2014-2583: potential path traversal issue in pam_timestamp

* Wed Mar 26 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-9

- pam_pwhistory: call the helper if SELinux enabled

* Tue Mar 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-8

- fix CVE-2013-7041: use case sensitive comparison in pam_userdb

* Mon Mar 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-7

- rename the 90-nproc.conf to 20-nproc.conf (#1071618)

- canonicalize user name in pam_selinux (#1071010)

- refresh the pam-redhat tarball

* Mon Dec 16 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-4

- raise the default soft nproc limit to 4096

* Mon Dec  2 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-3

- updated translations

* Mon Oct 21 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-2

- update lastlog with pam_lastlog also for su (#1021108)

* Mon Oct 14 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-1

- new upstream release

- pam_tty_audit: allow the module to work with old kernels

* Fri Oct  4 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.7-3

- pam_tty_audit: proper initialization of the tty_audit_status struct

* Mon Sep 30 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.7-2

- add "local_users_only" to pam_pwquality in default configuration

* Fri Sep 13 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.7-1

- new upstream release

* Wed Aug  7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-14

- use links instead of w3m to create txt documentation

- recognize login session in pam_sepermit to prevent gdm from locking (#969174)

- add support for disabling password logging in pam_tty_audit

* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-13

- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Thu Jul 11 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-12

- add auditing of SELinux policy violation in pam_rootok (#965723)

- add SELinux helper to pam_pwhistory

* Tue May  7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-11

- the default isadir is more correct

* Wed Apr 24 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-10

- pam_unix: do not fail with bad ld.so.preload

* Fri Mar 22 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-9

- do not fail if btmp file is corrupted (#906852)

- fix strict aliasing warnings in build

- UsrMove

- use authtok_type with pam_pwquality in system-auth

- remove manual_context handling from pam_selinux (#876976)

- other minor specfile cleanups

* Tue Mar 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-8

- check NULL return from crypt() calls (#915316)

* Thu Mar 14 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-7

- add workaround for low nproc limit for confined root user (#432903)

* Thu Feb 21 2013 Karsten Hopp <karsten@redhat.com> 1.1.6-6

- add support for ppc64p7 arch (Power7 optimized)

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Tue Jan 22 2013 Tomas Mraz <tmraz@redhat.com> 1.1.6-4

- fix build with current autotools

* Mon Oct 15 2012 Tomas Mraz <tmraz@redhat.com> 1.1.6-3

- add support for tmpfs mount options in pam_namespace

* Mon Sep  3 2012 Tomas Mraz <tmraz@redhat.com> 1.1.6-2

- link setuid binaries with full relro (#853158)

- add rhost and tty to auditing data in modules (#677664)

* Fri Aug 17 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.6-1

- new upstream release

* Thu Aug  9 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.5-9

- make the pam_lastlog module in postlogin 'optional' (#846843)

* Mon Aug  6 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.5-8

- fix build failure in pam_unix

- add display of previous bad login attempts to postlogin.pamd

- put the tmpfiles.d config to /usr/lib and rename it to pam.conf

- build against libdb-5

* Wed May  9 2012 Tomas Mraz <tmraz@redhat.com> 1.1.5-7

- add inactive account lock out functionality to pam_lastlog

- fix pam_unix remember user name matching

- add gecoscheck and maxclassrepeat functionality to pam_cracklib

- correctly check for crypt() returning NULL in pam_unix

- pam_unix - do not fallback to MD5 on password change

  if requested algorithm not supported by crypt() (#818741)

- install empty directories

* Wed May  9 2012 Tomas Mraz <tmraz@redhat.com> 1.1.5-6

- add pam_systemd to session modules

* Tue Jan 31 2012 Tomas Mraz <tmraz@redhat.com> 1.1.5-5

- fix pam_namespace leaking the protect mounts to parent namespace (#755216)

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.5-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Wed Dec 21 2011 Tomas Mraz <tmraz@redhat.com> 1.1.5-3

- add a note to limits.conf (#754285)

* Thu Nov 24 2011 Tomas Mraz <tmraz@redhat.com> 1.1.5-2

- use pam_pwquality instead of pam_cracklib

* Thu Nov 24 2011 Tomas Mraz <tmraz@redhat.com> 1.1.5-1

- upgrade to new upstream release

* Thu Aug 25 2011 Tomas Mraz <tmraz@redhat.com> 1.1.4-4

- fix dereference in pam_env

- fix wrong parse of user@host pattern in pam_access (#732081)

* Sat Jul 23 2011 Ville Skyttä <ville.skytta@iki.fi> - 1.1.4-3

- Rebuild to fix trailing slashes in provided dirs added by rpm 4.9.1.

* Fri Jul 15 2011 Tomas Mraz <tmraz@redhat.com> 1.1.4-2

- clear supplementary groups in pam_console handler execution

* Mon Jun 27 2011 Tomas Mraz <tmraz@redhat.com> 1.1.4-1

- upgrade to new upstream release

* Tue Jun  7 2011 Tomas Mraz <tmraz@redhat.com> 1.1.3-10

- detect the shared / and make the polydir mounts private based on that

- fix memory leak and other small errors in pam_namespace

* Thu Jun  2 2011 Tomas Mraz <tmraz@redhat.com> 1.1.3-9

- add support for explicit marking of the polydir mount private (#623522)

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.3-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Wed Dec 22 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-7

- add postlogin common PAM configuration file (#665059)

* Tue Dec 14 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-6

- include patches recently submitted and applied to upstream CVS

* Thu Nov 25 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-5

- add config for autocreation of subdirectories in /var/run (#656655)

- automatically enable kernel console in pam_securetty

* Wed Nov 10 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-4

- fix memory leak in pam_faillock

* Wed Nov 10 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-3

- fix segfault in faillock utility

- remove some cases where the information of existence of

  an user account could be leaked by the pam_faillock,

  document the remaining case

* Fri Nov  5 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-2

- fix a mistake in the abstract X-socket connect