When a new session is started, the open_session part of the module computes and sets up the execution security context used for the next execve(2) call, the file security context for the controlling terminal, and the security context used for creating a new kernel keyring.
When the session is ended, the close_session part of the module restores old security contexts that were in effect before the change made by the open_session part of the module.
Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications. To avoid that, pam_selinux.so open should be placed after such modules in the PAM stack, and pam_selinux.so close should be placed before them. When such a placement is not feasible, pam_selinux.so restore could be used to temporary restore original security contexts.
Only the session module type is provided.
auth required pam_unix.so session required pam_permit.so session optional pam_selinux.so
execve(2), tty(4), pam.d(5), pam(7), selinux(8)
pam_selinux was written by Dan Walsh <email@example.com>.