path: root/modules/pam_selinux/README
diff options
authorSteve Langasek <>2019-01-03 16:26:05 -0800
committerSteve Langasek <>2019-01-03 17:26:38 -0800
commit9c52e721044e7501c3d4567b36d222dc7326224a (patch)
tree9011790770130c60a712a6f125ad50d60e07cc74 /modules/pam_selinux/README
parent9727ff2a3fa0e94a42b34a579027bacf4146d571 (diff)
parent186ff16e8d12ff15d518000c17f115ccab5275a4 (diff)
New upstream version 1.0.1
Diffstat (limited to 'modules/pam_selinux/README')
1 files changed, 66 insertions, 0 deletions
diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README
new file mode 100644
index 00000000..9e841f2e
--- /dev/null
+++ b/modules/pam_selinux/README
@@ -0,0 +1,66 @@
+pam_selinux — PAM module to set the default security context
+In a nutshell, pam_selinux sets up the default security context for the next
+execed shell.
+When an application opens a session using pam_selinux, the shell that gets
+executed will be run in the default security context, or if the user chooses
+and the pam file allows the selected security context. Also the controlling tty
+will have it's security context modified to match the users.
+Adding pam_selinux into a pam file could cause other pam modules to change
+their behavior if the exec another application. The close and open option help
+mitigate this problem. close option will only cause the close portion of the
+pam_selinux to execute, and open will only cause the open portion to run. You
+can add pam_selinux to the config file twice. Add the pam_selinux close as the
+executes the open pass through the modules, pam_selinux open_session will
+happen last. When PAM executes the close pass through the modules pam_selinux
+close_session will happen first.
+ Only execute the close_session portion of the module.
+ Turns on debugging via syslog(3).
+ Only execute the open_session portion of the module.
+ Do not try to setup the ttys security context.
+ attempt to inform the user when security context is set.
+ Attempt to ask the user for a custom security context role. If MLS is on
+ ask also for sensitivity level.
+ Use the sensitivity range of the process for the user context. This option
+ and the select_context option are mutually exclusive.
+auth required
+session required
+session optional
+pam_selinux was written by Dan Walsh <>.