From aea290af6d2de6a493e952b9ef8c771ab9014fef Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 19 Oct 2010 23:34:52 +0000 Subject: pam_selinux.8.xml: update * modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis): Reorder options, add new "restore" option. pam_selinux-description): Rewrite. (pam_selinux-options): Reorder options, describe new "restore" option. (pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR and PAM_BUF_ERR. (pam_selinux-see_also): Remove pam.conf(5). Add execve(2), tty(4) and selinux(8). --- modules/pam_selinux/pam_selinux.8.xml | 113 ++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 39 deletions(-) diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 2c1cdb24..28d465f5 100644 --- a/modules/pam_selinux/pam_selinux.8.xml +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -19,17 +19,20 @@ pam_selinux.so - close + open - debug + close - open + restore nottys + + debug + verbose @@ -48,26 +51,31 @@ DESCRIPTION - In a nutshell, pam_selinux sets up the default security context for the - next execed shell. + pam_selinux is a PAM module that sets up the default SELinux security + context for the next executed process. + + + When a new session is started, the open_session part of the module + computes and sets up the execution security context used for the next + + execve2 + + call, the file security context for the controlling terminal, and + the security context used for creating a new kernel keyring. - When an application opens a session using pam_selinux, the shell that - gets executed will be run in the default security context, or if the - user chooses and the pam file allows the selected security context. - Also the controlling tty will have it's security context modified to - match the users. + When the session is ended, the close_session part of the module restores + old security contexts that were in effect before the change made + by the open_session part of the module. - Adding pam_selinux into a pam file could cause other pam modules to - change their behavior if the exec another application. The close and - open option help mitigate this problem. close option will only cause - the close portion of the pam_selinux to execute, and open will only - cause the open portion to run. You can add pam_selinux to the config - file twice. Add the pam_selinux close as the executes the open pass - through the modules, pam_selinux open_session will happen last. - When PAM executes the close pass through the modules pam_selinux - close_session will happen first. + Adding pam_selinux into the PAM stack might disrupt behavior of other + PAM modules which execute applications. To avoid that, + pam_selinux.so open should be placed after such + modules in the PAM stack, and pam_selinux.so close + should be placed before them. When such a placement is not feasible, + pam_selinux.so restore could be used to temporary + restore original security contexts. @@ -76,34 +84,34 @@ - + - Only execute the close_session portion of the module. + Only execute the open_session part of the module. - + - Turns on debugging via - - syslog3 - . + Only execute the close_session part of the module. - + - Only execute the open_session portion of the module. + In open_session part of the module, temporarily restore the + security contexts as they were before the previous call of + the module. Another call of this module without the restore + option will set up the new security contexts again. @@ -113,7 +121,20 @@ - Do not try to setup the ttys security context. + Do not setup security context of the controlling terminal. + + + + + + + + + + Turn on debug messages via + + syslog3 + . @@ -123,7 +144,7 @@ - attempt to inform the user when security context is set. + Attempt to inform the user when security context is set. @@ -134,7 +155,7 @@ Attempt to ask the user for a custom security context role. - If MLS is on ask also for sensitivity level. + If MLS is on, ask also for sensitivity level. @@ -145,11 +166,11 @@ Attempt to obtain a custom security context role from PAM environment. - If MLS is on obtain also sensitivity level. This option and the - select_context option are mutually exclusive. The respective PAM + If MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and - SELINUX_USE_CURRENT_RANGE. The first two variables + SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module. @@ -181,18 +202,18 @@ RETURN VALUES - PAM_AUTH_ERR + PAM_SUCCESS - Unable to get or set a valid context. + The security context was set successfully. - PAM_SUCCESS + PAM_SESSION_ERR - The security context was set successfully. + Unable to get or set a valid context. @@ -204,6 +225,14 @@ + + PAM_BUF_ERR + + + Memory allocation error. + + + @@ -220,13 +249,19 @@ session optional pam_selinux.so SEE ALSO - pam.conf5 + execve2 + , + + tty4 , pam.d5 , pam8 + , + + selinux8 -- cgit v1.2.3