diff options
author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 16:26:05 -0800 |
---|---|---|
committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 17:26:38 -0800 |
commit | 9c52e721044e7501c3d4567b36d222dc7326224a (patch) | |
tree | 9011790770130c60a712a6f125ad50d60e07cc74 /modules/pam_sepermit/README | |
parent | 9727ff2a3fa0e94a42b34a579027bacf4146d571 (diff) | |
parent | 186ff16e8d12ff15d518000c17f115ccab5275a4 (diff) |
New upstream version 1.0.1
Diffstat (limited to 'modules/pam_sepermit/README')
-rw-r--r-- | modules/pam_sepermit/README | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/modules/pam_sepermit/README b/modules/pam_sepermit/README new file mode 100644 index 00000000..11429832 --- /dev/null +++ b/modules/pam_sepermit/README @@ -0,0 +1,51 @@ +pam_sepermit — PAM module to allow/deny login depending on SELinux enforcement +state + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_sepermit module allows or denies login depending on SELinux enforcement +state. + +When the user which is logging in matches an entry in the config file he is +allowed access only when the SELinux is in enforcing mode. Otherwise he is +denied access. For users not matching any entry in the config file the +pam_sepermit module returns PAM_IGNORE return value. + +The config file contains a simple list of user names one per line. If the name +is prefixed with @ character it means that all users in the group name match. +If it is prefixed with a % character the SELinux user is used to match against +the name instead of the account name. Note that when SELinux is disabled the +SELinux user assigned to the account cannot be determined. This means that such +entries are never matched when SELinux is disabled and pam_sepermit will return +PAM_IGNORE. + +Each user name in the configuration file can have optional arguments separated +by : character. The only currently recognized argument is exclusive. The +pam_sepermit module will allow only single concurrent user session for the user +with this argument specified and it will attempt to kill all processes of the +user after logout. + +OPTIONS + +debug + + Turns on debugging via syslog(3). + +conf=/path/to/config/file + + Path to alternative config file overriding the default. + +EXAMPLES + +auth [success=done ignore=ignore default=bad] pam_sepermit.so +auth required pam_unix.so +account required pam_unix.so +session required pam_permit.so + + +AUTHOR + +pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. + |