Relevant BUGIDs:

Purpose of commit: new feature Commit summary: --------------- 2008-07-11 Tomas Mraz <t8m@centrum.cz> * modules/pam_selinux/pam_selinux.c (config_context): Do not ask for the level if use_current_range is set. (context_from_env): New function to obtain the context from PAM environment variables. (pam_sm_open_session): Call context_from_env() if env_params option is present. use_current_range now modifies behavior of the context_from_env and config_context options. * modules/pam_selinux/pam_selinux.8.xml: Describe the env_params option. Adjust description of use_current_range option.
author: Tomas Mraz <tm@t8m.info> 2008-07-11 15:37:28 +0000
committer: Tomas Mraz <tm@t8m.info> 2008-07-11 15:37:28 +0000
commit: 3c3bb4c3659615ffba1b23f537120ea996e8a774 (patch)
tree: 3e290447a93899cb391b6d2a35409f016ab1a39a /modules/pam_selinux/pam_selinux.8.xml
parent: 0323cbc3d94badc4d5e941a8fb679444dcb72bbb (diff)
1 files changed, 23 insertions, 2 deletions
diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml
index 3acd1322..ab368a87 100644
--- a/modules/pam_selinux/pam_selinux.8.xml
+++ b/modules/pam_selinux/pam_selinux.8.xml
@@ -37,6 +37,9 @@
 	select_context
       </arg>
       <arg choice="opt">
+	env_params
+      </arg>
+      <arg choice="opt">
 	use_current_range
       </arg>
     </cmdsynopsis>
@@ -137,12 +140,30 @@
       </varlistentry>
       <varlistentry>
         <term>
+          <option>env_params</option>
+        </term>
+        <listitem>
+          <para>
+            Attempt to obtain a custom security context role from PAM environment.
+            If MLS is on obtain also sensitivity level. This option and the
+            select_context option are mutually exclusive. The respective PAM
+            environment variables are <emphasis>SELINUX_ROLE_REQUESTED</emphasis>,
+            <emphasis>SELINUX_LEVEL_REQUESTED</emphasis>, and
+            <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables
+            are self describing and the last one if set to 1 makes the PAM module behave as
+            if the use_current_range was specified on the command line of the module.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
           <option>use_current_range</option>
         </term>
         <listitem>
           <para>
-            Use the sensitivity range of the process for the user context.
-            This option and the select_context option are mutually exclusive.
+            Use the sensitivity level of the current process for the user context
+            instead of the default level. Also supresses asking of the
+            sensitivity level from the user or obtaining it from PAM environment.
           </para>
         </listitem>
       </varlistentry>
author	Tomas Mraz <tm@t8m.info>	2008-07-11 15:37:28 +0000
committer	Tomas Mraz <tm@t8m.info>	2008-07-11 15:37:28 +0000
commit	3c3bb4c3659615ffba1b23f537120ea996e8a774 (patch)
tree	3e290447a93899cb391b6d2a35409f016ab1a39a /modules/pam_selinux/pam_selinux.8.xml
parent	0323cbc3d94badc4d5e941a8fb679444dcb72bbb (diff)