path: root/modules/pam_selinux/pam_selinux.8
diff options
Diffstat (limited to 'modules/pam_selinux/pam_selinux.8')
1 files changed, 63 insertions, 0 deletions
diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8
new file mode 100644
index 00000000..4ccec58c
--- /dev/null
+++ b/modules/pam_selinux/pam_selinux.8
@@ -0,0 +1,63 @@
+.TH pam_selinux 8 2003/08/26 "Red Hat Linux" "System Administrator's Manual"
+pam_selinux \- set the default security context after login via PAM.
+.B session optional /lib/security/
+In a nutshell, pam_selinux sets up the default security context for the next execed
+When an application opens a session using pam_selinux, the shell that gets
+executed will be run in the default security context, or if the user chooses
+and the pam file allows the selected security context. Also the controlling
+tty will have it's security context modified to match the users.
+Adding pam_selinux into a pam file could cause other pam modules to change
+their behavior if the exec another application. The close and open option help
+mitigate this problem. close option will only cause the close portion of the
+pam_selinux to execute, and open will only cause the open portion to run. You
+can add pam_selinux to the config file twice. Add the pam_selinux close as the
+'first' session entry and open as the 'last' session entry. This way when pam
+executes the open pass through the modules, pam_selinux open_session will
+happen last. When pam executes the close pass through the modules pam_selinux
+close_session will happen first.
+.IP close
+Only execute the close_session portion of the module.
+.IP debug
+turns on debugging via \fBsyslog(3)\fR.
+.IP multiple
+tells to allow the user to select the security context they will
+login with, if the user has more than one role.
+.IP open
+Only execute the open_session portion of the module.
+.IP nottys
+Do not try to setup the ttys security context.
+.IP verbose
+attempt to inform the user when security context is set.
+auth required /lib/security/
+session required /lib/security/
+session optional /lib/security/
+Setting the following line will cause the login to fail
+auth sufficient /lib/security/ verbose
+Let's hope not, but if you find any, please email the author.
+Dan Walsh <>