add postlogin pam rules

pam.spec

@@ -19,7 +19,7 @@ Epoch:	1
 Summary:	A security tool which provides authentication for applications
 Name:		pam
 Version:	1.1.4
-Release:	13
+Release:	14
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 License:	BSD and GPLv2+
@@ -36,6 +36,8 @@ Source7:	config-util.pamd
 Source8:	dlopen.sh
 Source9:	system-auth.5
 Source10:	config-util.5
+Source11: postlogin.pamd
+Source12: postlogin.5
 #add missing documentation
 Source501: 	pam_tty_audit.8
 Source502:	README
@@ -217,12 +219,13 @@ install -d -m 755 %{buildroot}/etc/pam.d
 install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other
 install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth
 install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util
+install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin
 install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd
 install -d -m 755 %{buildroot}/var/log
 install -m 600 /dev/null %{buildroot}/var/log/tallylog
 
 # Install man pages.
-install -m 644 %{SOURCE9} %{SOURCE10} %{buildroot}%{_mandir}/man5/
+install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/
 
 # no longer needed, handled by ACL in udev
 for phase in auth acct passwd session ; do

postlogin.5

@@ -0,0 +1,46 @@
+.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+postlogin \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/postlogin
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this PAM configuration file is to provide a common
+place for all PAM modules which should be called after the stack
+configured in
+.BR system-auth
+or the other common PAM configuration files.
+
+.sp
+The
+.BR postlogin
+configuration file is included from all individual service configuration
+files that provide login service with shell or file access.
+
+.SH NOTES
+The modules in the postlogin configuration file are executed regardless
+of the success or failure of the modules in the
+.BR system-auth
+configuration file.
+
+.SH BUGS
+.sp 2
+Sometimes it would be useful to be able to skip the postlogin modules in
+case the substack of the
+.BR system-auth
+modules failed. Unfortunately the current Linux-PAM library does not
+provide any way how to achieve this.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), system-auth(5)
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "

postlogin.pamd

@@ -0,0 +1,7 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+
+session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* quiet
+session     [default=1]   pam_lastlog.so nowtmp silent
+session     optional      pam_lastlog.so silent noupdate showfailed