From 3c3bb4c3659615ffba1b23f537120ea996e8a774 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Fri, 11 Jul 2008 15:37:28 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
2008-07-11  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_selinux/pam_selinux.c (config_context): Do not
        ask for the level if use_current_range is set.
        (context_from_env): New function to obtain the context from
        PAM environment variables.
        (pam_sm_open_session): Call context_from_env() if env_params option
        is present. use_current_range now modifies behavior of the
        context_from_env and config_context options.
        * modules/pam_selinux/pam_selinux.8.xml: Describe the env_params
        option. Adjust description of use_current_range option.
---
 modules/pam_selinux/pam_selinux.8.xml | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

(limited to 'modules/pam_selinux/pam_selinux.8.xml')

diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml
index 3acd1322..ab368a87 100644
--- a/modules/pam_selinux/pam_selinux.8.xml
+++ b/modules/pam_selinux/pam_selinux.8.xml
@@ -36,6 +36,9 @@
       <arg choice="opt">
 	select_context
       </arg>
+      <arg choice="opt">
+	env_params
+      </arg>
       <arg choice="opt">
 	use_current_range
       </arg>
@@ -135,14 +138,32 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>
+          <option>env_params</option>
+        </term>
+        <listitem>
+          <para>
+            Attempt to obtain a custom security context role from PAM environment.
+            If MLS is on obtain also sensitivity level. This option and the
+            select_context option are mutually exclusive. The respective PAM
+            environment variables are <emphasis>SELINUX_ROLE_REQUESTED</emphasis>,
+            <emphasis>SELINUX_LEVEL_REQUESTED</emphasis>, and
+            <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables
+            are self describing and the last one if set to 1 makes the PAM module behave as
+            if the use_current_range was specified on the command line of the module.
+          </para>
+        </listitem>
+      </varlistentry>
       <varlistentry>
         <term>
           <option>use_current_range</option>
         </term>
         <listitem>
           <para>
-            Use the sensitivity range of the process for the user context.
-            This option and the select_context option are mutually exclusive.
+            Use the sensitivity level of the current process for the user context
+            instead of the default level. Also supresses asking of the
+            sensitivity level from the user or obtaining it from PAM environment.
           </para>
         </listitem>
       </varlistentry>
-- 
cgit v1.2.3