From 538dad819245deb53f1d55109130dce2199c6730 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 29 Jan 2008 15:38:34 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-01-29 Tomas Mraz * configure.in: Test for setkeycreatecon needs libselinux. Add new module pam_sepermit. * modules/Makefile.am: Add new module pam_sepermit. * modules/pam_sepermit/.cvsignore: New file. * modules/pam_sepermit/Makefile.am: Likewise. * modules/pam_sepermit/README.xml: Likewise. * modules/pam_sepermit/pam_sepermit.8.xml: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_sepermit/sepermit.conf: Likewise. * modules/pam_sepermit/tst-pam_sepermit: Likewise. * doc/sag/pam_sepermit.xml: Likewise. * doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG. --- ChangeLog | 16 ++ NEWS | 2 + configure.in | 8 +- doc/sag/pam_sepermit.xml | 38 +++ doc/sag/pam_tty_audit.xml | 38 +++ modules/pam_sepermit/.cvsignore | 10 + modules/pam_sepermit/Makefile.am | 43 ++++ modules/pam_sepermit/README.xml | 41 ++++ modules/pam_sepermit/pam_sepermit.8.xml | 189 +++++++++++++++ modules/pam_sepermit/pam_sepermit.c | 405 ++++++++++++++++++++++++++++++++ modules/pam_sepermit/sepermit.conf | 11 + modules/pam_sepermit/tst-pam_sepermit | 2 + 12 files changed, 802 insertions(+), 1 deletion(-) create mode 100644 doc/sag/pam_sepermit.xml create mode 100644 doc/sag/pam_tty_audit.xml create mode 100644 modules/pam_sepermit/.cvsignore create mode 100644 modules/pam_sepermit/Makefile.am create mode 100644 modules/pam_sepermit/README.xml create mode 100644 modules/pam_sepermit/pam_sepermit.8.xml create mode 100644 modules/pam_sepermit/pam_sepermit.c create mode 100644 modules/pam_sepermit/sepermit.conf create mode 100755 modules/pam_sepermit/tst-pam_sepermit diff --git a/ChangeLog b/ChangeLog index ff4a228e..86adc731 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2008-01-29 Tomas Mraz + + * configure.in: Test for setkeycreatecon needs libselinux. + Add new module pam_sepermit. + * modules/Makefile.am: Add new module pam_sepermit. + * modules/pam_sepermit/.cvsignore: New file. + * modules/pam_sepermit/Makefile.am: Likewise. + * modules/pam_sepermit/README.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.8.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.c: Likewise. + * modules/pam_sepermit/sepermit.conf: Likewise. + * modules/pam_sepermit/tst-pam_sepermit: Likewise. + * doc/sag/pam_sepermit.xml: Likewise. + + * doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG. + 2008-01-29 Miloslav Trmac * modules/pam_tty_audit/README.xml: Add notes section. diff --git a/NEWS b/NEWS index 44e93d5a..edd84e38 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,8 @@ Linux-PAM NEWS -- history of user-visible changes. and number of sessions (pam_limits) to the Linux audit subsystem. * Support sha256 and sha512 algorithms in pam_unix when they are supported by crypt(). +* New pam_sepermit.so module for allowing/rejecting access based on + SELinux mode. Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/configure.in b/configure.in index cd92f80a..90349a14 100644 --- a/configure.in +++ b/configure.in @@ -393,6 +393,7 @@ AC_SUBST(LIBDB) AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"]) AC_CHECK_LIB([nsl],[yp_get_default_domain], LIBNSL="-lnsl", LIBNSL="") +BACKUP_LIBS=$LIBS LIBS="$LIBS $LIBNSL" AC_CHECK_FUNCS(yp_get_default_domain) LIBS=$BACKUP_LIBS @@ -410,6 +411,10 @@ AC_SUBST(LIBSELINUX) AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"]) if test ! -z "$LIBSELINUX" ; then AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in]) + BACKUP_LIBS=$LIBS + LIBS="$LIBS $LIBSELINUX" + AC_CHECK_FUNCS(setkeycreatecon) + LIBS=$BACKUP_LIBS fi dnl Checks for header files. @@ -442,7 +447,7 @@ AC_CHECK_FUNCS(fseeko gethostname gettimeofday lckpwdf mkdir select) AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) AC_CHECK_FUNCS(getgrouplist getline getdelim) -AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon) +AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af) AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) @@ -531,6 +536,7 @@ AC_OUTPUT(Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \ modules/pam_rhosts/Makefile \ modules/pam_rootok/Makefile modules/pam_exec/Makefile \ modules/pam_securetty/Makefile modules/pam_selinux/Makefile \ + modules/pam_sepermit/Makefile \ modules/pam_shells/Makefile modules/pam_stress/Makefile \ modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \ modules/pam_time/Makefile modules/pam_tty_audit/Makefile \ diff --git a/doc/sag/pam_sepermit.xml b/doc/sag/pam_sepermit.xml new file mode 100644 index 00000000..6ef9e0f8 --- /dev/null +++ b/doc/sag/pam_sepermit.xml @@ -0,0 +1,38 @@ + + +
+ pam_sepermit - allow/reject access based on SELinux mode + + + +
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
diff --git a/doc/sag/pam_tty_audit.xml b/doc/sag/pam_tty_audit.xml new file mode 100644 index 00000000..55e73862 --- /dev/null +++ b/doc/sag/pam_tty_audit.xml @@ -0,0 +1,38 @@ + + +
+ pam_tty_audit - enable/disable tty auditing + + + +
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
diff --git a/modules/pam_sepermit/.cvsignore b/modules/pam_sepermit/.cvsignore new file mode 100644 index 00000000..258e7207 --- /dev/null +++ b/modules/pam_sepermit/.cvsignore @@ -0,0 +1,10 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_sepermit.8 diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am new file mode 100644 index 00000000..09a60a3a --- /dev/null +++ b/modules/pam_sepermit/Makefile.am @@ -0,0 +1,43 @@ +# +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk +# Copyright (c) 2008 Red Hat, Inc. +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit + +if HAVE_LIBSELINUX + TESTS = tst-pam_sepermit + man_MANS = pam_sepermit.8 +endif + +XMLS = README.xml pam_sepermit.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +sepermitlockdir = /var/run/sepermit + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(top_srcdir)/libpam_misc/include \ + -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ + -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" + +pam_sepermit_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +secureconf_DATA = sepermit.conf +sepermitlock_DATA = + +if HAVE_LIBSELINUX + securelib_LTLIBRARIES = pam_sepermit.la +endif +if ENABLE_REGENERATE_MAN +noinst_DATA = README pam_sepermit.8 +README: pam_sepermit.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_sepermit/README.xml b/modules/pam_sepermit/README.xml new file mode 100644 index 00000000..bb65951c --- /dev/null +++ b/modules/pam_sepermit/README.xml @@ -0,0 +1,41 @@ + + +--> +]> + +
+ + + + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_sepermit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_sepermit-name"]/*)'/> + + + + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml new file mode 100644 index 00000000..c2546b62 --- /dev/null +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -0,0 +1,189 @@ + + + + + + + pam_sepermit + 8 + Linux-PAM Manual + + + + pam_sepermit + PAM module to allow/deny login depending on SELinux enforcement state + + + + + pam_sepermit.so + + debug + + + conf=/path/to/config/file + + + + + + DESCRIPTION + + The pam_sepermit module allows or denies login depending on SELinux + enforcement state. + + + When the user which is logging in matches an entry in the config file + he is allowed access only when the SELinux is in enforcing mode. Otherwise + he is denied access. For users not matching any entry in the config file + the pam_sepermit module returns PAM_IGNORE return value. + + + The config file contains a simple list of user names one per line. If the + name is prefixed with @ character it means that all + users in the group name match. If it is prefixed + with a % character the SELinux user is used to match against the name + instead of the account name. Note that when SELinux is disabled the + SELinux user assigned to the account cannot be determined. This means that + such entries are never matched when SELinux is disabled and pam_sepermit + will return PAM_IGNORE. + + + Each user name in the configuration file can have optional arguments separated + by : character. The only currently recognized argument is exclusive. + The pam_sepermit module will allow only single concurrent user session for + the user with this argument specified and it will attempt to kill all processes + of the user after logout. + + + + + OPTIONS + + + + + + + + Turns on debugging via + + syslog3 + . + + + + + + + + + + Path to alternative config file overriding the default. + + + + + + + + MODULE SERVICES PROVIDED + + Only the and + services are supported. + + + + + RETURN VALUES + + + PAM_AUTH_ERR + + + SELinux is disabled or in the permissive mode and the user + matches. + + + + + PAM_SUCCESS + + + SELinux is in the enforcing mode and the user matches. + + + + + PAM_IGNORE + + + The user does not match any entry in the config file. + + + + + PAM_USER_UNKNOWN + + + The module was unable to determine the user's name. + + + + + PAM_SERVICE_ERR + + + Error during reading or parsing the config file. + + + + + + + + FILES + + + /etc/security/sepermit.conf + + Default configuration file + + + + + + + EXAMPLES + +auth [success=done ignore=ignore default=bad] pam_sepermit.so +auth required pam_unix.so +account required pam_unix.so +session required pam_permit.so + + + + + SEE ALSO + + + pam.conf5 + , + + pam.d8 + , + + pam8 + + + + + + AUTHOR + + pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. + + + + diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c new file mode 100644 index 00000000..377fc2c5 --- /dev/null +++ b/modules/pam_sepermit/pam_sepermit.c @@ -0,0 +1,405 @@ +/****************************************************************************** + * A module for Linux-PAM that allows/denies acces based on SELinux state. + * + * Copyright (c) 2007, 2008 Red Hat, Inc. + * Originally written by Tomas Mraz + * Contributions by Dan Walsh + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT + +#include +#include +#include +#include + +#include + +#define MODULE "pam_sepermit" +#define OPT_DELIM ":" + +struct lockfd { + uid_t uid; + int fd; + int debug; +}; + +#define PROC_BASE "/proc" +#define MAX_NAMES (int)(sizeof(unsigned long)*8) + +static int +match_process_uid(pid_t pid, uid_t uid) +{ + char buf[128]; + uid_t puid; + FILE *f; + int re = 0; + + snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid); + if (!(f = fopen (buf, "r"))) + return 0; + + while (fgets(buf, sizeof buf, f)) { + if (sscanf (buf, "Uid:\t%d", &puid)) { + re = uid == puid; + break; + } + } + fclose(f); + return re; +} + +static int +check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug) +{ + DIR *dir; + struct dirent *de; + pid_t *pid_table, pid, self; + int i; + int pids, max_pids; + int running = 0; + self = getpid(); + if (!(dir = opendir(PROC_BASE))) { + pam_syslog(pamh, LOG_ERR, "Failed to open proc directory file %s:", PROC_BASE); + return -1; + } + max_pids = 256; + pid_table = malloc(max_pids * sizeof (pid_t)); + if (!pid_table) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + pids = 0; + while ((de = readdir (dir)) != NULL) { + if (!(pid = (pid_t)atoi(de->d_name)) || pid == self) + continue; + + if (pids == max_pids) { + if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + max_pids *= 2; + } + pid_table[pids++] = pid; + } + + (void)closedir(dir); + + for (i = 0; i < pids; i++) { + pid_t id; + + if (match_process_uid(pid_table[i], uid) == 0) + continue; + id = pid_table[i]; + + if (killall) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Attempting to kill %d", id); + kill(id, SIGKILL); + } + running++; + } + + free(pid_table); + return running; +} + +static void +sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED) +{ + struct lockfd *lockfd = plockfd; + struct flock fl; + + memset(&fl, 0, sizeof(fl)); + fl.l_type = F_UNLCK; + fl.l_whence = SEEK_SET; + + if (lockfd->debug) + pam_syslog(pamh, LOG_ERR, "Unlocking fd: %d uid: %d", lockfd->fd, lockfd->uid); + + /* Don't kill uid==0 */ + if (lockfd->uid) + /* This is a DOS but it prevents an app from forking to prevent killing */ + while(check_running(pamh, lockfd->uid, 1, lockfd->debug) > 0) + continue; + + fcntl(lockfd->fd, F_SETLK, &fl); + close(lockfd->fd); + free(lockfd); +} + +static int +sepermit_lock(pam_handle_t *pamh, const char *user, int debug) +{ + char buf[PATH_MAX]; + struct flock fl; + + memset(&fl, 0, sizeof(fl)); + fl.l_type = F_WRLCK; + fl.l_whence = SEEK_SET; + + struct passwd *pw = pam_modutil_getpwnam( pamh, user ); + if (!pw) { + pam_syslog(pamh, LOG_ERR, "Unable to find uid for user %s", user); + return -1; + } + if (check_running(pamh, pw->pw_uid, 0, debug) > 0) { + pam_syslog(pamh, LOG_ERR, "User %s processes are running. Exclusive login not allowed", user); + return -1; + } + + snprintf(buf, sizeof(buf), "%s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); + int fd = open(buf, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR); + if (fd < 0) { + pam_syslog(pamh, LOG_ERR, "Unable to open lock file %s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); + return -1; + } + + if (fcntl(fd, F_SETLK, &fl) == -1) { + pam_syslog(pamh, LOG_ERR, "User %s with exclusive login already logged in", user); + close(fd); + return -1; + } + struct lockfd *lockfd=calloc(1, sizeof(struct lockfd)); + if (!lockfd) { + close(fd); + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + lockfd->uid = pw->pw_uid; + lockfd->debug = debug; + lockfd->fd=fd; + pam_set_data(pamh, MODULE, lockfd, sepermit_unlock); + return 0; +} + +/* return 0 when matched, -1 when unmatched, pam error otherwise */ +static int +sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, + const char *seuser, int debug) +{ + FILE *f; + char *line = NULL; + char *start; + size_t len = 0; + int matched = 0; + int exclusive = 0; + + f = fopen(cfgfile, "r"); + + if (!f) { + pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile); + return PAM_SERVICE_ERR; + } + + while (!matched && getline(&line, &len, f) != -1) { + size_t n; + char *sptr; + char *opt; + + if (line[0] == '#') + continue; + + start = line; + while (isspace(*start)) + ++start; + n = strlen(start); + while (n > 0 && isspace(start[n-1])) { + --n; + } + if (n == 0) + continue; + + start[n] = '\0'; + start = strtok_r(start, OPT_DELIM, &sptr); + + switch (start[0]) { + case '@': + ++start; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start); + if (pam_modutil_user_in_group_nam_nam(pamh, user, start)) { + matched = 1; + } + break; + case '%': + ++start; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); + if (strcmp(seuser, start) == 0) { + matched = 1; + } + break; + default: + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against user %s", user, start); + if (strcmp(user, start) == 0) { + matched = 1; + } + } + if (matched) + while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { + if (strcmp(opt, "exclusive") == 0) + exclusive = 1; + else if (debug) { + pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); + } + } + } + + free(line); + fclose(f); + if (matched) + return exclusive ? sepermit_lock(pamh, user, debug) : 0; + else + return -1; +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i; + int rv; + int debug = 0; + int sense = PAM_AUTH_ERR; + const char *user = NULL; + char *seuser = NULL; + char *level = NULL; + const char *cfgfile = SEPERMIT_CONF_FILE; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + if (strcmp(argv[i], "conf=") == 0) { + cfgfile = argv[i] + 5; + } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); + + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + || *user == '\0') { + pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); + return PAM_USER_UNKNOWN; + } + + if (is_selinux_enabled() > 0) { + if (security_getenforce() == 1) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match"); + sense = PAM_SUCCESS; + } + + if (getseuserbyname(user, &seuser, &level) != 0) { + seuser = NULL; + level = NULL; + pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m"); + } + } + + if (debug && sense != PAM_SUCCESS) + pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); + + rv = sepermit_match(pamh, cfgfile, user, seuser, debug); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); + + free(seuser); + free(level); + + switch (rv) { + case -1: + return PAM_IGNORE; + case 0: + return sense; + } + + return rv; +} + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_access_modstruct = { + "pam_sepermit", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + NULL, + NULL, + NULL +}; +#endif + diff --git a/modules/pam_sepermit/sepermit.conf b/modules/pam_sepermit/sepermit.conf new file mode 100644 index 00000000..951f3dfe --- /dev/null +++ b/modules/pam_sepermit/sepermit.conf @@ -0,0 +1,11 @@ +# /etc/security/sepermit.conf +# +# Each line contains either: +# - an user name +# - a group name, with @group syntax +# - a SELinux user name, with %seuser syntax +# Each line can contain optional arguments separated by : +# The possible arguments are: +# - exclusive - only single login session will +# be allowed for the user and the user's processes +# will be killed on logout diff --git a/modules/pam_sepermit/tst-pam_sepermit b/modules/pam_sepermit/tst-pam_sepermit new file mode 100755 index 00000000..6e6d2363 --- /dev/null +++ b/modules/pam_sepermit/tst-pam_sepermit @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_sepermit.so -- cgit v1.2.3