pam_selinux

pam_selinux.so [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range]

pam_selinux is a PAM module that sets the default SELinux security context for authenticated user sessions. It operates in two phases: open_session sets up the execution and controlling terminal security contexts, and close_session restores the previously saved contexts when the session ends.In a typical PAM configuration, this module is called twice -- once with close before other session modules, and once with open after them. This ensures that other modules run with the caller's context, while the user session receives the appropriate SELinux context.

open

Execute only the open_session portion of the module, which sets the execution and terminal security contexts.

Execute only the close_session portion of the module, which restores previous security contexts.

In open_session, temporarily restore security contexts as they were before the previous call of the module. Useful when open and close cannot be placed around other session modules.

Do not set the security context of the controlling terminal.

Turn on debug messages via syslog(3).

Attempt to inform the user when the security context is set.

Prompt the user to select a custom role for the security context. Mutually exclusive with env_params.

Obtain a custom security context role from PAM environment variables (SELINUXROLEREQUESTED, SELINUXLEVELREQUESTED, SELINUXUSECURRENTRANGE). Mutually exclusive with **selectcontext**.

Use the current process MLS sensitivity level rather than the default.

PAM_SUCCESS

Security context was set successfully.

Unable to get or set a valid context.

The user is not known to the system.

Memory allocation failure.

Only applicable on systems with SELinux enabled. This module provides only the session module type. The select_context and env_params options are mutually exclusive.

pam(8), pam.d(5), chcon(1), semanage(8), sestatus(8), getenforce(8)