From de848d9e9146434817c65d74d1d0313e9d729462 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 14:01:37 +0200 Subject: Adding upstream version 1.4.0. Signed-off-by: Daniel Baumann --- modules/pam_selinux/README | 85 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 modules/pam_selinux/README (limited to 'modules/pam_selinux/README') diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README new file mode 100644 index 0000000..fb4d449 --- /dev/null +++ b/modules/pam_selinux/README @@ -0,0 +1,85 @@ +pam_selinux — PAM module to set the default security context + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +pam_selinux is a PAM module that sets up the default SELinux security context +for the next executed process. + +When a new session is started, the open_session part of the module computes and +sets up the execution security context used for the next execve(2) call, the +file security context for the controlling terminal, and the security context +used for creating a new kernel keyring. + +When the session is ended, the close_session part of the module restores old +security contexts that were in effect before the change made by the +open_session part of the module. + +Adding pam_selinux into the PAM stack might disrupt behavior of other PAM +modules which execute applications. To avoid that, pam_selinux.so open should +be placed after such modules in the PAM stack, and pam_selinux.so close should +be placed before them. When such a placement is not feasible, pam_selinux.so +restore could be used to temporary restore original security contexts. + +OPTIONS + +open + + Only execute the open_session part of the module. + +close + + Only execute the close_session part of the module. + +restore + + In open_session part of the module, temporarily restore the security + contexts as they were before the previous call of the module. Another call + of this module without the restore option will set up the new security + contexts again. + +nottys + + Do not setup security context of the controlling terminal. + +debug + + Turn on debug messages via syslog(3). + +verbose + + Attempt to inform the user when security context is set. + +select_context + + Attempt to ask the user for a custom security context role. If MLS is on, + ask also for sensitivity level. + +env_params + + Attempt to obtain a custom security context role from PAM environment. If + MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM + environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, + and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing + and the last one if set to 1 makes the PAM module behave as if the + use_current_range was specified on the command line of the module. + +use_current_range + + Use the sensitivity level of the current process for the user context + instead of the default level. Also suppresses asking of the sensitivity + level from the user or obtaining it from PAM environment. + +EXAMPLES + +auth required pam_unix.so +session required pam_permit.so +session optional pam_selinux.so + + +AUTHOR + +pam_selinux was written by Dan Walsh . + -- cgit v1.2.3