From 72188ec3483744ef54c20245ac4125eb1c67e92e Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 16 May 2005 11:04:31 +0000 Subject: Relevant BUGIDs: none Purpose of commit: new feature Commit summary: --------------- Add pam_selinux module --- modules/pam_selinux/pam_selinux.8 | 63 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 modules/pam_selinux/pam_selinux.8 (limited to 'modules/pam_selinux/pam_selinux.8') diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 new file mode 100644 index 00000000..4ccec58c --- /dev/null +++ b/modules/pam_selinux/pam_selinux.8 @@ -0,0 +1,63 @@ +.TH pam_selinux 8 2003/08/26 "Red Hat Linux" "System Administrator's Manual" +.SH NAME +pam_selinux \- set the default security context after login via PAM. +.SH SYNOPSIS +.B session optional /lib/security/pam_selinux.so +.br + +.SH DESCRIPTION +In a nutshell, pam_selinux sets up the default security context for the next execed +shell. + +When an application opens a session using pam_selinux, the shell that gets +executed will be run in the default security context, or if the user chooses +and the pam file allows the selected security context. Also the controlling +tty will have it's security context modified to match the users. + +Adding pam_selinux into a pam file could cause other pam modules to change +their behavior if the exec another application. The close and open option help +mitigate this problem. close option will only cause the close portion of the +pam_selinux to execute, and open will only cause the open portion to run. You +can add pam_selinux to the config file twice. Add the pam_selinux close as the +'first' session entry and open as the 'last' session entry. This way when pam +executes the open pass through the modules, pam_selinux open_session will +happen last. When pam executes the close pass through the modules pam_selinux +close_session will happen first. + +.SH ARGUMENTS +.IP close +Only execute the close_session portion of the module. +.IP debug +turns on debugging via \fBsyslog(3)\fR. +.IP multiple +tells pam_selinux.so to allow the user to select the security context they will +login with, if the user has more than one role. +.IP open +Only execute the open_session portion of the module. +.IP nottys +Do not try to setup the ttys security context. +.IP verbose +attempt to inform the user when security context is set. + +.SH EXAMPLE +\fB/etc/pam.d/some-login-program\fP: +.br +auth required /lib/security/pam_unix.so +.br +session required /lib/security/pam_permit.so +session optional /lib/security/pam_selinux.so +.br + +.SH CAVEATS +Setting the following line will cause the login to fail +auth sufficient /lib/security/pam_selinux.so verbose + + +.SH SEE ALSO +pam_selinux_check(8) + +.SH BUGS +Let's hope not, but if you find any, please email the author. + +.SH AUTHOR +Dan Walsh -- cgit v1.2.3