summaryrefslogtreecommitdiff
path: root/modules/pam_selinux/pam_selinux.8.xml
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_selinux/pam_selinux.8.xml')
-rw-r--r--modules/pam_selinux/pam_selinux.8.xml220
1 files changed, 220 insertions, 0 deletions
diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml
new file mode 100644
index 00000000..3acd1322
--- /dev/null
+++ b/modules/pam_selinux/pam_selinux.8.xml
@@ -0,0 +1,220 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_selinux">
+
+ <refmeta>
+ <refentrytitle>pam_selinux</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_selinux-name">
+ <refname>pam_selinux</refname>
+ <refpurpose>PAM module to set the default security context</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_selinux-cmdsynopsis">
+ <command>pam_selinux.so</command>
+ <arg choice="opt">
+ close
+ </arg>
+ <arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
+ open
+ </arg>
+ <arg choice="opt">
+ nottys
+ </arg>
+ <arg choice="opt">
+ verbose
+ </arg>
+ <arg choice="opt">
+ select_context
+ </arg>
+ <arg choice="opt">
+ use_current_range
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_selinux-description">
+ <title>DESCRIPTION</title>
+ <para>
+ In a nutshell, pam_selinux sets up the default security context for the
+ next execed shell.
+ </para>
+ <para>
+ When an application opens a session using pam_selinux, the shell that
+ gets executed will be run in the default security context, or if the
+ user chooses and the pam file allows the selected security context.
+ Also the controlling tty will have it's security context modified to
+ match the users.
+ </para>
+ <para>
+ Adding pam_selinux into a pam file could cause other pam modules to
+ change their behavior if the exec another application. The close and
+ open option help mitigate this problem. close option will only cause
+ the close portion of the pam_selinux to execute, and open will only
+ cause the open portion to run. You can add pam_selinux to the config
+ file twice. Add the pam_selinux close as the executes the open pass
+ through the modules, pam_selinux open_session will happen last.
+ When PAM executes the close pass through the modules pam_selinux
+ close_session will happen first.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_selinux-options">
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>close</option>
+ </term>
+ <listitem>
+ <para>
+ Only execute the close_session portion of the module.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Turns on debugging via
+ <citerefentry>
+ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>open</option>
+ </term>
+ <listitem>
+ <para>
+ Only execute the open_session portion of the module.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>nottys</option>
+ </term>
+ <listitem>
+ <para>
+ Do not try to setup the ttys security context.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>verbose</option>
+ </term>
+ <listitem>
+ <para>
+ attempt to inform the user when security context is set.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>select_context</option>
+ </term>
+ <listitem>
+ <para>
+ Attempt to ask the user for a custom security context role.
+ If MLS is on ask also for sensitivity level.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>use_current_range</option>
+ </term>
+ <listitem>
+ <para>
+ Use the sensitivity range of the process for the user context.
+ This option and the select_context option are mutually exclusive.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_selinux-services">
+ <title>MODULE SERVICES PROVIDED</title>
+ <para>
+ Only the <option>session</option> service is supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_selinux-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ Unable to get or set a valid context.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ The security context was set successfull.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ The user is not known to the system.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_selinux-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+auth required pam_unix.so
+session required pam_permit.so
+session optional pam_selinux.so
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id='pam_selinux-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_selinux-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_selinux was written by Dan Walsh &lt;dwalsh@redhat.com&gt;.
+ </para>
+ </refsect1>
+
+</refentry>
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 02:35:48 +0000