7
In a nutshell, pam_selinux sets up the default security context for the next
10
When an application opens a session using pam_selinux, the shell that gets
11
executed will be run in the default security context, or if the user chooses
12
and the pam file allows the selected security context. Also the controlling tty
13
will have it's security context modified to match the users.
15
Adding pam_selinux into a pam file could cause other pam modules to change
16
their behavior if the exec another application. The close and open option help
17
mitigate this problem. close option will only cause the close portion of the
18
pam_selinux to execute, and open will only cause the open portion to run. You
19
can add pam_selinux to the config file twice. Add the pam_selinux close as the
20
executes the open pass through the modules, pam_selinux open_session will
21
happen last. When PAM executes the close pass through the modules pam_selinux
22
close_session will happen first.
7
pam_selinux is a PAM module that sets up the default SELinux security context
8
for the next executed process.
10
When a new session is started, the open_session part of the module computes and
11
sets up the execution security context used for the next execve(2) call, the
12
file security context for the controlling terminal, and the security context
13
used for creating a new kernel keyring.
15
When the session is ended, the close_session part of the module restores old
16
security contexts that were in effect before the change made by the
17
open_session part of the module.
19
Adding pam_selinux into the PAM stack might disrupt behavior of other PAM
20
modules which execute applications. To avoid that, pam_selinux.so open should
21
be placed after such modules in the PAM stack, and pam_selinux.so close should
22
be placed before them. When such a placement is not feasible, pam_selinux.so
23
restore could be used to temporary restore original security contexts.
29
Only execute the open_session part of the module.
28
Only execute the close_session portion of the module.
33
Only execute the close_session part of the module.
37
In open_session part of the module, temporarily restore the security
38
contexts as they were before the previous call of the module. Another call
39
of this module without the restore option will set up the new security
44
Do not setup security context of the controlling terminal.
32
Turns on debugging via syslog(3).
36
Only execute the open_session portion of the module.
40
Do not try to setup the ttys security context.
48
Turn on debug messages via syslog(3).
44
attempt to inform the user when security context is set.
52
Attempt to inform the user when security context is set.
48
Attempt to ask the user for a custom security context role. If MLS is on
56
Attempt to ask the user for a custom security context role. If MLS is on,
49
57
ask also for sensitivity level.
53
61
Attempt to obtain a custom security context role from PAM environment. If
54
MLS is on obtain also sensitivity level. This option and the select_context
55
option are mutually exclusive. The respective PAM environment variables are
56
SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and
57
SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and
58
the last one if set to 1 makes the PAM module behave as if the
62
MLS is on, obtain also sensitivity level. This option and the
63
select_context option are mutually exclusive. The respective PAM
64
environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED,
65
and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing
66
and the last one if set to 1 makes the PAM module behave as if the
59
67
use_current_range was specified on the command line of the module.