table of contents
PAM_SELINUX(8) | Linux-PAM Manual | PAM_SELINUX(8) |
NAME¶
pam_selinux - PAM module to set the default security context
SYNOPSIS¶
pam_selinux.so [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range]
DESCRIPTION¶
pam_selinux is a PAM module that sets up the default SELinux security context for the next executed process.
When a new session is started, the open_session part of the module computes and sets up the execution security context used for the next execve(2) call, the file security context for the controlling terminal, and the security context used for creating a new kernel keyring.
When the session is ended, the close_session part of the module restores old security contexts that were in effect before the change made by the open_session part of the module.
Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications. To avoid that, pam_selinux.so open should be placed after such modules in the PAM stack, and pam_selinux.so close should be placed before them. When such a placement is not feasible, pam_selinux.so restore could be used to temporary restore original security contexts.
OPTIONS¶
open
close
restore
nottys
debug
verbose
select_context
env_params
use_current_range
MODULE TYPES PROVIDED¶
Only the session module type is provided.
RETURN VALUES¶
PAM_SUCCESS
PAM_SESSION_ERR
PAM_USER_UNKNOWN
PAM_BUF_ERR
EXAMPLES¶
auth required pam_unix.so session required pam_permit.so session optional pam_selinux.so
SEE ALSO¶
AUTHOR¶
pam_selinux was written by Dan Walsh <dwalsh@redhat.com>.
11/25/2020 | Linux-PAM Manual |