diff options
Diffstat (limited to 'modules/pam_selinux/pam_selinux.8.xml')
-rw-r--r-- | modules/pam_selinux/pam_selinux.8.xml | 220 |
1 files changed, 220 insertions, 0 deletions
diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml new file mode 100644 index 00000000..3acd1322 --- /dev/null +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -0,0 +1,220 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_selinux"> + + <refmeta> + <refentrytitle>pam_selinux</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_selinux-name"> + <refname>pam_selinux</refname> + <refpurpose>PAM module to set the default security context</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_selinux-cmdsynopsis"> + <command>pam_selinux.so</command> + <arg choice="opt"> + close + </arg> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + open + </arg> + <arg choice="opt"> + nottys + </arg> + <arg choice="opt"> + verbose + </arg> + <arg choice="opt"> + select_context + </arg> + <arg choice="opt"> + use_current_range + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_selinux-description"> + <title>DESCRIPTION</title> + <para> + In a nutshell, pam_selinux sets up the default security context for the + next execed shell. + </para> + <para> + When an application opens a session using pam_selinux, the shell that + gets executed will be run in the default security context, or if the + user chooses and the pam file allows the selected security context. + Also the controlling tty will have it's security context modified to + match the users. + </para> + <para> + Adding pam_selinux into a pam file could cause other pam modules to + change their behavior if the exec another application. The close and + open option help mitigate this problem. close option will only cause + the close portion of the pam_selinux to execute, and open will only + cause the open portion to run. You can add pam_selinux to the config + file twice. Add the pam_selinux close as the executes the open pass + through the modules, pam_selinux open_session will happen last. + When PAM executes the close pass through the modules pam_selinux + close_session will happen first. + </para> + </refsect1> + + <refsect1 id="pam_selinux-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>close</option> + </term> + <listitem> + <para> + Only execute the close_session portion of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turns on debugging via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>open</option> + </term> + <listitem> + <para> + Only execute the open_session portion of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nottys</option> + </term> + <listitem> + <para> + Do not try to setup the ttys security context. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>verbose</option> + </term> + <listitem> + <para> + attempt to inform the user when security context is set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>select_context</option> + </term> + <listitem> + <para> + Attempt to ask the user for a custom security context role. + If MLS is on ask also for sensitivity level. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_current_range</option> + </term> + <listitem> + <para> + Use the sensitivity range of the process for the user context. + This option and the select_context option are mutually exclusive. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_selinux-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only the <option>session</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_selinux-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Unable to get or set a valid context. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The security context was set successfull. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_selinux-examples'> + <title>EXAMPLES</title> + <programlisting> +auth required pam_unix.so +session required pam_permit.so +session optional pam_selinux.so + </programlisting> + </refsect1> + + <refsect1 id='pam_selinux-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_selinux-author'> + <title>AUTHOR</title> + <para> + pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. + </para> + </refsect1> + +</refentry> |