summaryrefslogtreecommitdiff
path: root/modules/pam_selinux/pam_selinux.8
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_selinux/pam_selinux.8')
-rw-r--r--modules/pam_selinux/pam_selinux.8151
1 files changed, 151 insertions, 0 deletions
diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8
new file mode 100644
index 00000000..2745a478
--- /dev/null
+++ b/modules/pam_selinux/pam_selinux.8
@@ -0,0 +1,151 @@
+'\" t
+.\" Title: pam_selinux
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 06/08/2020
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_SELINUX" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_selinux \- PAM module to set the default security context
+.SH "SYNOPSIS"
+.HP \w'\fBpam_selinux\&.so\fR\ 'u
+\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range]
+.SH "DESCRIPTION"
+.PP
+pam_selinux is a PAM module that sets up the default SELinux security context for the next executed process\&.
+.PP
+When a new session is started, the open_session part of the module computes and sets up the execution security context used for the next
+\fBexecve\fR(2)
+call, the file security context for the controlling terminal, and the security context used for creating a new kernel keyring\&.
+.PP
+When the session is ended, the close_session part of the module restores old security contexts that were in effect before the change made by the open_session part of the module\&.
+.PP
+Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications\&. To avoid that,
+\fIpam_selinux\&.so open\fR
+should be placed after such modules in the PAM stack, and
+\fIpam_selinux\&.so close\fR
+should be placed before them\&. When such a placement is not feasible,
+\fIpam_selinux\&.so restore\fR
+could be used to temporary restore original security contexts\&.
+.SH "OPTIONS"
+.PP
+\fBopen\fR
+.RS 4
+Only execute the open_session part of the module\&.
+.RE
+.PP
+\fBclose\fR
+.RS 4
+Only execute the close_session part of the module\&.
+.RE
+.PP
+\fBrestore\fR
+.RS 4
+In open_session part of the module, temporarily restore the security contexts as they were before the previous call of the module\&. Another call of this module without the restore option will set up the new security contexts again\&.
+.RE
+.PP
+\fBnottys\fR
+.RS 4
+Do not setup security context of the controlling terminal\&.
+.RE
+.PP
+\fBdebug\fR
+.RS 4
+Turn on debug messages via
+\fBsyslog\fR(3)\&.
+.RE
+.PP
+\fBverbose\fR
+.RS 4
+Attempt to inform the user when security context is set\&.
+.RE
+.PP
+\fBselect_context\fR
+.RS 4
+Attempt to ask the user for a custom security context role\&. If MLS is on, ask also for sensitivity level\&.
+.RE
+.PP
+\fBenv_params\fR
+.RS 4
+Attempt to obtain a custom security context role from PAM environment\&. If MLS is on, obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are
+\fISELINUX_ROLE_REQUESTED\fR,
+\fISELINUX_LEVEL_REQUESTED\fR, and
+\fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&.
+.RE
+.PP
+\fBuse_current_range\fR
+.RS 4
+Use the sensitivity level of the current process for the user context instead of the default level\&. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+Only the
+\fBsession\fR
+module type is provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_SUCCESS
+.RS 4
+The security context was set successfully\&.
+.RE
+.PP
+PAM_SESSION_ERR
+.RS 4
+Unable to get or set a valid context\&.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 4
+The user is not known to the system\&.
+.RE
+.PP
+PAM_BUF_ERR
+.RS 4
+Memory allocation error\&.
+.RE
+.SH "EXAMPLES"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+auth required pam_unix\&.so
+session required pam_permit\&.so
+session optional pam_selinux\&.so
+
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBexecve\fR(2),
+\fBtty\fR(4),
+\fBpam.d\fR(5),
+\fBpam\fR(8),
+\fBselinux\fR(8)
+.SH "AUTHOR"
+.PP
+pam_selinux was written by Dan Walsh <dwalsh@redhat\&.com>\&.