path: root/modules/pam_sepermit/README
diff options
Diffstat (limited to 'modules/pam_sepermit/README')
1 files changed, 48 insertions, 0 deletions
diff --git a/modules/pam_sepermit/README b/modules/pam_sepermit/README
new file mode 100644
index 00000000..cd697bb9
--- /dev/null
+++ b/modules/pam_sepermit/README
@@ -0,0 +1,48 @@
+pam_sepermit — PAM module to allow/deny login depending on SELinux enforcement
+The pam_sepermit module allows or denies login depending on SELinux enforcement
+When the user which is logging in matches an entry in the config file he is
+allowed access only when the SELinux is in enforcing mode. Otherwise he is
+denied access. For users not matching any entry in the config file the
+pam_sepermit module returns PAM_IGNORE return value.
+The config file contains a list of user names one per line with optional
+arguments. If the name is prefixed with @ character it means that all users in
+the group name match. If it is prefixed with a % character the SELinux user is
+used to match against the name instead of the account name. Note that when
+SELinux is disabled the SELinux user assigned to the account cannot be
+determined. This means that such entries are never matched when SELinux is
+disabled and pam_sepermit will return PAM_IGNORE.
+See sepermit.conf(5) for details.
+ Turns on debugging via syslog(3).
+ Path to alternative config file overriding the default.
+auth [success=done ignore=ignore default=bad]
+auth required
+account required
+session required
+pam_sepermit and this manual page were written by Tomas Mraz