path: root/modules/pam_selinux/README
diff options
authorThorsten Kukuk <>2006-06-18 08:26:58 +0000
committerThorsten Kukuk <>2006-06-18 08:26:58 +0000
commit5ea6d47931e49aa8b87405f5dbd9af4e19785e0e (patch)
tree5df5a56a58a271ab042cf1f3245eb5a14c321e03 /modules/pam_selinux/README
parent03226fd971126dfe527a0828c8c6648e94fa613d (diff)
Relevant BUGIDs:
Purpose of commit: cleanup Commit summary: --------------- 2006-06-18 Thorsten Kukuk <> * modules/pam_selinux/ Include Make.xml.rules. * modules/pam_selinux/pam_selinux.8.xml: New. * modules/pam_selinux/pam_selinux.8: Regenerated from xml file. * modules/pam_selinux/README.xml: New. * modules/pam_selinux/README: Regenerated from xml file.
Diffstat (limited to 'modules/pam_selinux/README')
1 files changed, 59 insertions, 12 deletions
diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README
index 174c4bda..13eba8af 100644
--- a/modules/pam_selinux/README
+++ b/modules/pam_selinux/README
@@ -1,17 +1,64 @@
-This is pam_selinux, a module for setting the default security context after
-login via PAM.
+pam_selinux — PAM module to set the default security context
-Background: SELinux provides a mechanism for allowing people to login with
-different security contexts.
-The module takes these arguments:
-The module takes these arguments:
- close Only execute the close_session portion of the module.
- debug Log debug messages (with priority DEBUG) to syslog.
- nottys Do not set security context on controlling tty
- verbose Attempt to tell the user when security context is set.
- open Only execute the open_session portion of the module.
-Dan Walsh <>
+In a nutshell, pam_selinux sets up the default security context for the next
+execed shell.
+When an application opens a session using pam_selinux, the shell that gets
+executed will be run in the default security context, or if the user chooses
+and the pam file allows the selected security context. Also the controlling tty
+will have it's security context modified to match the users.
+Adding pam_selinux into a pam file could cause other pam modules to change
+their behavior if the exec another application. The close and open option help
+mitigate this problem. close option will only cause the close portion of the
+pam_selinux to execute, and open will only cause the open portion to run. You
+can add pam_selinux to the config file twice. Add the pam_selinux close as the
+executes the open pass through the modules, pam_selinux open_session will
+happen last. When PAM executes the close pass through the modules pam_selinux
+close_session will happen first.
+ Only execute the close_session portion of the module.
+ Turns on debugging via syslog(3).
+ Tells to allow the user to select the security context they
+ will login with, if the user has more than one role.
+ Only execute the open_session portion of the module.
+ Do not try to setup the ttys security context.
+ attempt to inform the user when security context is set.
+auth requisite
+auth [success=2 default=ok] auth=perm_denied cred=success
+auth [default=reset] auth=success cred=perm_denied
+auth [success=done default=die]
+auth optional auth=perm_denied cred=perm_denied
+auth sufficient auth=success cred=success
+pam_selinux was written by Dan Walsh <>.