path: root/modules/pam_selinux/pam_selinux.8.xml
diff options
authorTomas Mraz <>2008-07-11 15:37:28 +0000
committerTomas Mraz <>2008-07-11 15:37:28 +0000
commit3c3bb4c3659615ffba1b23f537120ea996e8a774 (patch)
tree3e290447a93899cb391b6d2a35409f016ab1a39a /modules/pam_selinux/pam_selinux.8.xml
parent0323cbc3d94badc4d5e941a8fb679444dcb72bbb (diff)
Relevant BUGIDs:
Purpose of commit: new feature Commit summary: --------------- 2008-07-11 Tomas Mraz <> * modules/pam_selinux/pam_selinux.c (config_context): Do not ask for the level if use_current_range is set. (context_from_env): New function to obtain the context from PAM environment variables. (pam_sm_open_session): Call context_from_env() if env_params option is present. use_current_range now modifies behavior of the context_from_env and config_context options. * modules/pam_selinux/pam_selinux.8.xml: Describe the env_params option. Adjust description of use_current_range option.
Diffstat (limited to 'modules/pam_selinux/pam_selinux.8.xml')
1 files changed, 23 insertions, 2 deletions
diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml
index 3acd1322..ab368a87 100644
--- a/modules/pam_selinux/pam_selinux.8.xml
+++ b/modules/pam_selinux/pam_selinux.8.xml
@@ -37,6 +37,9 @@
<arg choice="opt">
+ env_params
+ </arg>
+ <arg choice="opt">
@@ -137,12 +140,30 @@
+ <option>env_params</option>
+ </term>
+ <listitem>
+ <para>
+ Attempt to obtain a custom security context role from PAM environment.
+ If MLS is on obtain also sensitivity level. This option and the
+ select_context option are mutually exclusive. The respective PAM
+ environment variables are <emphasis>SELINUX_ROLE_REQUESTED</emphasis>,
+ <emphasis>SELINUX_LEVEL_REQUESTED</emphasis>, and
+ <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables
+ are self describing and the last one if set to 1 makes the PAM module behave as
+ if the use_current_range was specified on the command line of the module.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
- Use the sensitivity range of the process for the user context.
- This option and the select_context option are mutually exclusive.
+ Use the sensitivity level of the current process for the user context
+ instead of the default level. Also supresses asking of the
+ sensitivity level from the user or obtaining it from PAM environment.