1 files changed, 130 insertions, 0 deletions
diff --git a/modules/pam_sepermit/pam_sepermit.8 b/modules/pam_sepermit/pam_sepermit.8
new file mode 100644
index 00000000..31a85477
--- /dev/null
+++ b/modules/pam_sepermit/pam_sepermit.8
@@ -0,0 +1,130 @@
+'\" t
+.\"     Title: pam_sepermit
+.\"    Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 04/01/2016
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
+.\"  Language: English
+.\"
+.TH "PAM_SEPERMIT" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_sepermit \- PAM module to allow/deny login depending on SELinux enforcement state
+.SH "SYNOPSIS"
+.HP \w'\fBpam_sepermit\&.so\fR\ 'u
+\fBpam_sepermit\&.so\fR [debug] [conf=\fI/path/to/config/file\fR]
+.SH "DESCRIPTION"
+.PP
+The pam_sepermit module allows or denies login depending on SELinux enforcement state\&.
+.PP
+When the user which is logging in matches an entry in the config file he is allowed access only when the SELinux is in enforcing mode\&. Otherwise he is denied access\&. For users not matching any entry in the config file the pam_sepermit module returns PAM_IGNORE return value\&.
+.PP
+The config file contains a list of user names one per line with optional arguments\&. If the
+\fIname\fR
+is prefixed with
+\fI@\fR
+character it means that all users in the group
+\fIname\fR
+match\&. If it is prefixed with a
+\fI%\fR
+character the SELinux user is used to match against the
+\fIname\fR
+instead of the account name\&. Note that when SELinux is disabled the SELinux user assigned to the account cannot be determined\&. This means that such entries are never matched when SELinux is disabled and pam_sepermit will return PAM_IGNORE\&.
+.PP
+See
+\fBsepermit.conf\fR(5)
+for details\&.
+.SH "OPTIONS"
+.PP
+\fBdebug\fR
+.RS 4
+Turns on debugging via
+\fBsyslog\fR(3)\&.
+.RE
+.PP
+\fBconf=\fR\fB\fI/path/to/config/file\fR\fR
+.RS 4
+Path to alternative config file overriding the default\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+The
+\fBauth\fR
+and
+\fBaccount\fR
+module types are provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_AUTH_ERR
+.RS 4
+SELinux is disabled or in the permissive mode and the user matches\&.
+.RE
+.PP
+PAM_SUCCESS
+.RS 4
+SELinux is in the enforcing mode and the user matches\&.
+.RE
+.PP
+PAM_IGNORE
+.RS 4
+The user does not match any entry in the config file\&.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 4
+The module was unable to determine the user\*(Aqs name\&.
+.RE
+.PP
+PAM_SERVICE_ERR
+.RS 4
+Error during reading or parsing the config file\&.
+.RE
+.SH "FILES"
+.PP
+/etc/security/sepermit\&.conf
+.RS 4
+Default configuration file
+.RE
+.SH "EXAMPLES"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+auth     [success=done ignore=ignore default=bad] pam_sepermit\&.so
+auth     required  pam_unix\&.so
+account  required  pam_unix\&.so
+session  required  pam_permit\&.so
+    
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBsepermit.conf\fR(5),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)\fBselinux\fR(8)
+.SH "AUTHOR"
+.PP
+pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat\&.com>\&.