From 30d7523ce5a739f4160831ff9dec5320c13fb037c66f7642ddec57a923edf960 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.com>
Date: Mon, 4 Mar 2024 13:33:34 +0000
Subject: [PATCH] - cockpit.pam: respect /etc/cockpit/disallowed-users   This
 means by default root cannot login with password to cockpit   (bsc#1216080)

- Remove SELinux file context for /usr/bin/cockpit-bridge, this
  is already defined in the main selinux-policy package (bsc#1220385).
  Modified selinux_libdir.patch

OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:cockpit/cockpit?expand=0&rev=165
---
 cockpit.changes | 8 ++++++++
 cockpit.pam     | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/cockpit.changes b/cockpit.changes
index b2dce6d..c423d84 100644
--- a/cockpit.changes
+++ b/cockpit.changes
@@ -1,8 +1,16 @@
+-------------------------------------------------------------------
+Mon Mar  4 13:24:23 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- cockpit.pam: respect /etc/cockpit/disallowed-users
+  This means by default root cannot login with password to cockpit
+  (bsc#1216080)
+
 -------------------------------------------------------------------
 Thu Feb 29 16:40:06 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 
 - Remove SELinux file context for /usr/bin/cockpit-bridge, this
   is already defined in the main selinux-policy package (bsc#1220385).
+  Modified selinux_libdir.patch
 
 -------------------------------------------------------------------
 Thu Feb 15 12:21:55 UTC 2024 - Adam Majer <adam.majer@suse.de>
diff --git a/cockpit.pam b/cockpit.pam
index 9cbc8ed..376d79f 100644
--- a/cockpit.pam
+++ b/cockpit.pam
@@ -1,5 +1,7 @@
 #%PAM-1.0
 auth substack common-auth
+# List of users to deny access to Cockpit, by default root is included.
+auth    required pam_listfile.so item=user sense=deny file=/etc/cockpit/disallowed-users onerr=succeed
 account required pam_nologin.so
 account include common-account
 password include common-password