diff options
Diffstat (limited to 'modules/pam_sepermit')
-rw-r--r-- | modules/pam_sepermit/Makefile.am | 10 | ||||
-rw-r--r-- | modules/pam_sepermit/Makefile.in | 341 | ||||
-rw-r--r-- | modules/pam_sepermit/README | 25 | ||||
-rw-r--r-- | modules/pam_sepermit/pam_sepermit.8 | 193 | ||||
-rw-r--r-- | modules/pam_sepermit/pam_sepermit.8.xml | 21 | ||||
-rw-r--r-- | modules/pam_sepermit/pam_sepermit.c | 23 | ||||
-rw-r--r-- | modules/pam_sepermit/sepermit.conf.5 | 110 | ||||
-rw-r--r-- | modules/pam_sepermit/sepermit.conf.5.xml | 110 |
8 files changed, 502 insertions, 331 deletions
diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index 579e142f..9211a938 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -1,19 +1,19 @@ # # Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> -# Copyright (c) 2008 Red Hat, Inc. +# Copyright (c) 2008, 2009 Red Hat, Inc. # CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit +EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit if HAVE_LIBSELINUX TESTS = tst-pam_sepermit - man_MANS = pam_sepermit.8 + man_MANS = pam_sepermit.8 sepermit.conf.5 endif -XMLS = README.xml pam_sepermit.8.xml +XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) @@ -37,7 +37,7 @@ if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_sepermit.la endif if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_sepermit.8 +noinst_DATA = README pam_sepermit.8 sepermit.conf.5 README: pam_sepermit.8.xml -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_sepermit/Makefile.in b/modules/pam_sepermit/Makefile.in index ae2000d7..3d1fb327 100644 --- a/modules/pam_sepermit/Makefile.in +++ b/modules/pam_sepermit/Makefile.in @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10.2 from Makefile.am. +# Makefile.in generated by automake 1.11 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,14 +17,15 @@ # # Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> -# Copyright (c) 2008 Red Hat, Inc. +# Copyright (c) 2008, 2009 Red Hat, Inc. # VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -59,15 +61,31 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" \ - "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sepermitlockdir)" -securelibLTLIBRARIES_INSTALL = $(INSTALL) +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" \ + "$(DESTDIR)$(sepermitlockdir)" LTLIBRARIES = $(securelib_LTLIBRARIES) pam_sepermit_la_DEPENDENCIES = pam_sepermit_la_SOURCES = pam_sepermit.c @@ -80,6 +98,7 @@ pam_sepermit_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles +am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ @@ -91,14 +110,15 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = pam_sepermit.c DIST_SOURCES = pam_sepermit.c +man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff MANS = $(man_MANS) -secureconfDATA_INSTALL = $(INSTALL_DATA) -sepermitlockDATA_INSTALL = $(INSTALL_DATA) DATA = $(noinst_DATA) $(secureconf_DATA) $(sepermitlock_DATA) ETAGS = etags CTAGS = ctags +am__tty_colors = \ +red=; grn=; lgn=; blu=; std= DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -262,10 +282,10 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit +EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit @HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_sepermit -@HAVE_LIBSELINUX_TRUE@man_MANS = pam_sepermit.8 -XMLS = README.xml pam_sepermit.8.xml +@HAVE_LIBSELINUX_TRUE@man_MANS = pam_sepermit.8 sepermit.conf.5 +XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) sepermitlockdir = ${localstatedir}/run/sepermit @@ -280,7 +300,7 @@ pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module \ @HAVE_LIBSELINUX_TRUE@secureconf_DATA = sepermit.conf @HAVE_LIBSELINUX_TRUE@sepermitlock_DATA = @HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_sepermit.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_sepermit.8 +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_sepermit.8 sepermit.conf.5 all: all-am .SUFFIXES: @@ -294,9 +314,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_sepermit/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu modules/pam_sepermit/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_sepermit/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_sepermit/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -314,23 +334,28 @@ $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" - @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } uninstall-securelibLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ done clean-securelibLTLIBRARIES: @@ -354,21 +379,21 @@ distclean-compile: .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< @@ -378,85 +403,122 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man8_MANS) $(man_MANS) +install-man5: $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list=''; test -n "$(man5dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } +install-man8: $(man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $$i; then file=$$i; \ - else file=$(srcdir)/$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + uninstall-man8: @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } install-secureconfDATA: $(secureconf_DATA) @$(NORMAL_INSTALL) test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" - @list='$(secureconf_DATA)'; for p in $$list; do \ + @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ - $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(secureconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done uninstall-secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ - rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ - done + @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(secureconfdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(secureconfdir)" && rm -f $$files install-sepermitlockDATA: $(sepermitlock_DATA) @$(NORMAL_INSTALL) test -z "$(sepermitlockdir)" || $(MKDIR_P) "$(DESTDIR)$(sepermitlockdir)" - @list='$(sepermitlock_DATA)'; for p in $$list; do \ + @list='$(sepermitlock_DATA)'; test -n "$(sepermitlockdir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(sepermitlockDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(sepermitlockdir)/$$f'"; \ - $(sepermitlockDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(sepermitlockdir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sepermitlockdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(sepermitlockdir)" || exit $$?; \ done uninstall-sepermitlockDATA: @$(NORMAL_UNINSTALL) - @list='$(sepermitlock_DATA)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(sepermitlockdir)/$$f'"; \ - rm -f "$(DESTDIR)$(sepermitlockdir)/$$f"; \ - done + @list='$(sepermitlock_DATA)'; test -n "$(sepermitlockdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sepermitlockdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sepermitlockdir)" && rm -f $$files ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -470,7 +532,7 @@ tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -478,29 +540,34 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -509,6 +576,7 @@ check-TESTS: $(TESTS) @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ + $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ @@ -520,10 +588,10 @@ check-TESTS: $(TESTS) *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ + col=$$red; res=XPASS; \ ;; \ *) \ - echo "PASS: $$tst"; \ + col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ @@ -531,17 +599,18 @@ check-TESTS: $(TESTS) case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ + col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ + col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ - echo "SKIP: $$tst"; \ + col=$$blu; res=SKIP; \ fi; \ + echo "$${col}$$res$${std}: $$tst"; \ done; \ if test "$$all" -eq 1; then \ tests="test"; \ @@ -583,15 +652,32 @@ check-TESTS: $(TESTS) dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ - echo "$$dashes"; \ + if test "$$failed" -eq 0; then \ + echo "$$grn$$dashes"; \ + else \ + echo "$$red$$dashes"; \ + fi; \ echo "$$banner"; \ test -z "$$skipped" || echo "$$skipped"; \ test -z "$$report" || echo "$$report"; \ - echo "$$dashes"; \ + echo "$$dashes$$std"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -607,13 +693,17 @@ distdir: $(DISTFILES) if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -622,7 +712,7 @@ check-am: all-am check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sepermitlockdir)"; do \ + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sepermitlockdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -646,6 +736,7 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -668,6 +759,8 @@ dvi-am: html: html-am +html-am: + info: info-am info-am: @@ -677,18 +770,28 @@ install-data-am: install-man install-secureconfDATA \ install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am -install-man: install-man8 +install-info-am: + +install-man: install-man5 install-man8 install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -712,9 +815,9 @@ ps-am: uninstall-am: uninstall-man uninstall-secureconfDATA \ uninstall-securelibLTLIBRARIES uninstall-sepermitlockDATA -uninstall-man: uninstall-man8 +uninstall-man: uninstall-man5 uninstall-man8 -.MAKE: install-am install-strip +.MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ @@ -723,18 +826,20 @@ uninstall-man: uninstall-man8 html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-secureconfDATA \ - install-securelibLTLIBRARIES install-sepermitlockDATA \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-sepermitlockDATA install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man5 \ uninstall-man8 uninstall-secureconfDATA \ uninstall-securelibLTLIBRARIES uninstall-sepermitlockDATA @ENABLE_REGENERATE_MAN_TRUE@README: pam_sepermit.8.xml @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/modules/pam_sepermit/README b/modules/pam_sepermit/README index 11429832..cd697bb9 100644 --- a/modules/pam_sepermit/README +++ b/modules/pam_sepermit/README @@ -13,19 +13,15 @@ allowed access only when the SELinux is in enforcing mode. Otherwise he is denied access. For users not matching any entry in the config file the pam_sepermit module returns PAM_IGNORE return value. -The config file contains a simple list of user names one per line. If the name -is prefixed with @ character it means that all users in the group name match. -If it is prefixed with a % character the SELinux user is used to match against -the name instead of the account name. Note that when SELinux is disabled the -SELinux user assigned to the account cannot be determined. This means that such -entries are never matched when SELinux is disabled and pam_sepermit will return -PAM_IGNORE. - -Each user name in the configuration file can have optional arguments separated -by : character. The only currently recognized argument is exclusive. The -pam_sepermit module will allow only single concurrent user session for the user -with this argument specified and it will attempt to kill all processes of the -user after logout. +The config file contains a list of user names one per line with optional +arguments. If the name is prefixed with @ character it means that all users in +the group name match. If it is prefixed with a % character the SELinux user is +used to match against the name instead of the account name. Note that when +SELinux is disabled the SELinux user assigned to the account cannot be +determined. This means that such entries are never matched when SELinux is +disabled and pam_sepermit will return PAM_IGNORE. + +See sepermit.conf(5) for details. OPTIONS @@ -47,5 +43,6 @@ session required pam_permit.so AUTHOR -pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. +pam_sepermit and this manual page were written by Tomas Mraz +<tmraz@redhat.com>. diff --git a/modules/pam_sepermit/pam_sepermit.8 b/modules/pam_sepermit/pam_sepermit.8 index 6b53e4ff..8340f050 100644 --- a/modules/pam_sepermit/pam_sepermit.8 +++ b/modules/pam_sepermit/pam_sepermit.8 @@ -1,161 +1,13 @@ +'\" t .\" Title: pam_sepermit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> -.\" Date: 03/02/2009 +.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> +.\" Date: 11/04/2009 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_SEPERMIT" "8" "03/02/2009" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" ----------------------------------------------------------------- -.\" * (re)Define some macros -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" toupper - uppercase a string (locale-aware) -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de toupper -.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -\\$* -.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH-xref - format a cross-reference to an SH section -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de SH-xref -.ie n \{\ -.\} -.toupper \\$* -.el \{\ -\\$* -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH - level-one heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SH -.\" put an extra blank line of space above the head in non-TTY output -.if t \{\ -.sp 1 -.\} -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[an-margin]u -.ti 0 -.HTML-TAG ".NH \\n[an-level]" -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -\." make the size of the head bigger -.ps +3 -.ft B -.ne (2v + 1u) -.ie n \{\ -.\" if n (TTY output), use uppercase -.toupper \\$* -.\} -.el \{\ -.nr an-break-flag 0 -.\" if not n (not TTY), use normal case (not uppercase) -\\$1 -.in \\n[an-margin]u -.ti 0 -.\" if not n (not TTY), put a border/line under subheading -.sp -.6 -\l'\n(.lu' -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SS - level-two heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SS -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[IN]u -.ti \\n[SN]u -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.ps \\n[PS-SS]u -\." make the size of the head bigger -.ps +2 -.ft B -.ne (2v + 1u) -.if \\n[.$] \&\\$* -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BB/BE - put background/screen (filled box) around block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BB -.if t \{\ -.sp -.5 -.br -.in +2n -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EB -.if t \{\ -.if "\\$2"adjust-for-leading-newline" \{\ -.sp -1 -.\} -.br -.di -.in -.ll -.gcolor -.nr BW \\n(.lu-\\n(.i -.nr BH \\n(dn+.5v -.ne \\n(BHu+.5v -.ie "\\$2"adjust-for-leading-newline" \{\ -\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.el \{\ -\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.in 0 -.sp -.5v -.nf -.BX -.in -.sp .5v -.fi -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BM/EM - put colored marker in margin next to block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BM -.if t \{\ -.br -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EM -.if t \{\ -.br -.di -.ll -.gcolor -.nr BH \\n(dn -.ne \\n(BHu -\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -.in 0 -.nf -.BX -.in -.fi -.\} -.. +.TH "PAM_SEPERMIT" "8" "11/04/2009" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- @@ -166,20 +18,18 @@ .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- -.SH "Name" +.SH "NAME" pam_sepermit \- PAM module to allow/deny login depending on SELinux enforcement state -.SH "Synopsis" -.fam C +.SH "SYNOPSIS" .HP \w'\fBpam_sepermit\&.so\fR\ 'u \fBpam_sepermit\&.so\fR [debug] [conf=\fI/path/to/config/file\fR] -.fam .SH "DESCRIPTION" .PP The pam_sepermit module allows or denies login depending on SELinux enforcement state\&. .PP When the user which is logging in matches an entry in the config file he is allowed access only when the SELinux is in enforcing mode\&. Otherwise he is denied access\&. For users not matching any entry in the config file the pam_sepermit module returns PAM_IGNORE return value\&. .PP -The config file contains a simple list of user names one per line\&. If the +The config file contains a list of user names one per line with optional arguments\&. If the \fIname\fR is prefixed with \fI@\fR @@ -191,10 +41,9 @@ character the SELinux user is used to match against the \fIname\fR instead of the account name\&. Note that when SELinux is disabled the SELinux user assigned to the account cannot be determined\&. This means that such entries are never matched when SELinux is disabled and pam_sepermit will return PAM_IGNORE\&. .PP -Each user name in the configuration file can have optional arguments separated by -\fI:\fR -character\&. The only currently recognized argument is -\fIexclusive\fR\&. The pam_sepermit module will allow only single concurrent user session for the user with this argument specified and it will attempt to kill all processes of the user after logout\&. +See +\fBsepermit.conf\fR(5) +for details\&. .SH "OPTIONS" .PP \fBdebug\fR @@ -242,7 +91,7 @@ Error during reading or parsing the config file\&. .RE .SH "FILES" .PP -\FC/etc/security/sepermit\&.conf\F[] +/etc/security/sepermit\&.conf .RS 4 Default configuration file .RE @@ -251,36 +100,24 @@ Default configuration file .if n \{\ .RS 4 .\} -.fam C -.ps -1 .nf -.if t \{\ -.sp -1 -.\} -.BB lightgray adjust-for-leading-newline -.sp -1 - auth [success=done ignore=ignore default=bad] pam_sepermit\&.so auth required pam_unix\&.so account required pam_unix\&.so session required pam_permit\&.so -.EB lightgray adjust-for-leading-newline -.if t \{\ -.sp 1 -.\} .fi -.fam -.ps +1 .if n \{\ .RE .\} .SH "SEE ALSO" .PP +\fBsepermit.conf\fR(5), \fBpam.conf\fR(5), -\fBpam.d\fR(8), +\fBpam.d\fR(5), \fBpam\fR(8) +\fBselinux\fR(8) .SH "AUTHOR" .PP -pam_sepermit was written by Tomas Mraz <tmraz@redhat\&.com>\&. +pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml index da4153bf..30d9cc54 100644 --- a/modules/pam_sepermit/pam_sepermit.8.xml +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -40,7 +40,7 @@ the pam_sepermit module returns PAM_IGNORE return value. </para> <para> - The config file contains a simple list of user names one per line. If the + The config file contains a list of user names one per line with optional arguments. If the <replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all users in the group <replaceable>name</replaceable> match. If it is prefixed with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable> @@ -50,12 +50,11 @@ will return PAM_IGNORE. </para> <para> - Each user name in the configuration file can have optional arguments separated - by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>. - The pam_sepermit module will allow only single concurrent user session for - the user with this argument specified and it will attempt to kill all processes - of the user after logout. + See <citerefentry> + <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> for details. </para> + </refsect1> <refsect1 id="pam_sepermit-options"> @@ -168,21 +167,27 @@ session required pam_permit.so <title>SEE ALSO</title> <para> <citerefentry> + <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> </citerefentry> + <citerefentry> + <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> </para> </refsect1> <refsect1 id='pam_sepermit-author'> <title>AUTHOR</title> <para> - pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. + pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 0fd95619..8b2360b5 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -1,7 +1,7 @@ /****************************************************************************** * A module for Linux-PAM that allows/denies acces based on SELinux state. * - * Copyright (c) 2007, 2008 Red Hat, Inc. + * Copyright (c) 2007, 2008, 2009 Red Hat, Inc. * Originally written by Tomas Mraz <tmraz@redhat.com> * Contributions by Dan Walsh <dwalsh@redhat.com> * @@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug) /* return 0 when matched, -1 when unmatched, pam error otherwise */ static int sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, - const char *seuser, int debug, int sense) + const char *seuser, int debug, int *sense) { FILE *f; char *line = NULL; @@ -239,6 +239,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, size_t len = 0; int matched = 0; int exclusive = 0; + int ignore = 0; f = fopen(cfgfile, "r"); @@ -284,7 +285,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); if (strcmp(seuser, start) == 0) { - matched = 1; + matched = 1; } break; default: @@ -298,6 +299,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { if (strcmp(opt, "exclusive") == 0) exclusive = 1; + else if (strcmp(opt, "ignore") == 0) + ignore = 1; else if (debug) { pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); } @@ -307,10 +310,14 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, free(line); fclose(f); if (matched) { - if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive) - return sepermit_lock(pamh, user, debug); - else - return 0; + if (*sense == PAM_SUCCESS) { + if (ignore) + *sense = PAM_IGNORE; + if (geteuid() == 0 && exclusive) + if (sepermit_lock(pamh, user, debug) < 0) + *sense = PAM_AUTH_ERR; + } + return 0; } else return -1; @@ -365,7 +372,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if (debug && sense != PAM_SUCCESS) pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); - rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense); + rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense); if (debug) pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); diff --git a/modules/pam_sepermit/sepermit.conf.5 b/modules/pam_sepermit/sepermit.conf.5 new file mode 100644 index 00000000..340e9816 --- /dev/null +++ b/modules/pam_sepermit/sepermit.conf.5 @@ -0,0 +1,110 @@ +'\" t +.\" Title: sepermit.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> +.\" Date: 11/04/2009 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "SEPERMIT\&.CONF" "5" "11/04/2009" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +sepermit.conf \- configuration file for the pam_sepermit module +.SH "DESCRIPTION" +.PP +The lines of the configuration file have the following syntax: +.PP + +\fI<user>\fR[:\fI<option>\fR:\fI<option>\fR\&.\&.\&.] +.PP +The +\fBuser\fR +can be specified in the following manner: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a username +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a groupname, with +\fB@group\fR +syntax\&. This should not be confused with netgroups\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a SELinux user name with +\fB%seuser\fR +syntax\&. +.RE +.PP +The recognized options are: +.PP +\fBexclusive\fR +.RS 4 +Only single login session will be allowed for the user and the user\'s processes will be killed on logout\&. +.RE +.PP +\fBignore\fR +.RS 4 +The module will never return PAM_SUCCESS status for the user\&. It will return PAM_IGNORE if SELinux is in the enforcing mode, and PAM_AUTH_ERR otherwise\&. It is useful if you want to support passwordless guest users and other confined users with passwords simultaneously\&. +.RE +.PP +The lines which start with # character are comments and are ignored\&. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +/etc/security/sepermit\&.conf\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +%guest_u:exclusive +%staff_u:ignore +%user_u:ignore + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP + +\fBpam_sepermit\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8), +\fBselinux\fR(8), +.SH "AUTHOR" +.PP +pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat\&.com> diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml new file mode 100644 index 00000000..511480f6 --- /dev/null +++ b/modules/pam_sepermit/sepermit.conf.5.xml @@ -0,0 +1,110 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="sepermit.conf"> + + <refmeta> + <refentrytitle>sepermit.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>sepermit.conf</refname> + <refpurpose>configuration file for the pam_sepermit module</refpurpose> + </refnamediv> + + <refsect1 id='sepermit.conf-description'> + <title>DESCRIPTION</title> + <para> + The lines of the configuration file have the following syntax: + </para> + <para> + <replaceable><user></replaceable>[:<replaceable><option></replaceable>:<replaceable><option></replaceable>...] + </para> + <para> + The <emphasis remap='B'>user</emphasis> can be specified in the following manner: + </para> + <itemizedlist> + <listitem> + <para> + a username + </para> + </listitem> + <listitem> + <para> + a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + This should not be confused with netgroups. + </para> + </listitem> + <listitem> + <para> + a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax. + </para> + </listitem> + </itemizedlist> + + <para> + The recognized options are: + </para> + + <variablelist> + <varlistentry> + <term><option>exclusive</option></term> + <listitem> + <para> + Only single login session will be allowed for the user + and the user's processes will be killed on logout. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>ignore</option></term> + <listitem> + <para> + The module will never return PAM_SUCCESS status for the user. + It will return PAM_IGNORE if SELinux is in the enforcing mode, + and PAM_AUTH_ERR otherwise. It is useful if you want to support + passwordless guest users and other confined users with passwords + simultaneously. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + The lines which start with # character are comments and are ignored. + </para> + </refsect1> + + <refsect1 id="sepermit.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/sepermit.conf</filename>. + </para> + <programlisting> +%guest_u:exclusive +%staff_u:ignore +%user_u:ignore + </programlisting> + </refsect1> + + <refsect1 id="sepermit.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + </para> + </refsect1> + + <refsect1 id="sepermit.conf-author"> + <title>AUTHOR</title> + <para> + pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com> + </para> + </refsect1> +</refentry> |