pam_selinux
Set SELinux security context for user sessions
SYNOPSIS
pam_selinux.so [debug] [relabel] [fs_create] [set_current] [restore_default_context] [strict] [nocon] [nohome] [noexec] [allow=
PARAMETERS
debug
Enables verbose logging to syslog, which can be useful for troubleshooting SELinux context issues.
relabel
Instructs the module to attempt to relabel the user's home directory upon login if its current context is incorrect, based on SELinux policy defaults.
fs_create
If the user's home directory does not exist, this option allows the module to create it with the correct SELinux context and then relabel it if necessary. Often used with pam_mkhomedir.
set_current
Sets the current SELinux context of the process to the mapped user context after the session opens. This is typically the default behavior and is crucial for enforcing the user's SELinux domain.
restore_default_context
Before exiting the session, attempts to restore the default SELinux context for the user's home directory. This can be used in conjunction with pam_mkhomedir.
strict
If setting the SELinux context fails for any reason (e.g., no mapping found, permission denied), this option causes the PAM session to fail, preventing the user from logging in without the correct context.
nocon
Prevents the module from setting a new SELinux context. It will still perform other operations like home directory relabeling or creation if specified.
nohome
Disables any home directory management operations (creation or relabeling) by the module, even if relabel or fs_create are specified.
noexec
Prevents the module from setting the exec context. This is typically used when the execution context should be inherited from the parent process or managed by another mechanism.
allow=<service_name>
Allows SELinux context setting for the specified PAM service (e.g., 'ssh', 'login'). This option can be used multiple times to allow multiple services.
deny=<service_name>
Denies SELinux context setting for the specified PAM service. This takes precedence over allow and can be used multiple times to deny multiple services.
allow_unknown
Permits user login even if no corresponding SELinux user mapping is found for the system user. Without this option, such logins might fail if a mapping is expected.
check_context
Verifies that the current process context matches the expected SELinux user context based on the user's mapping. If not, it can be used with strict to deny login.
select_context
Allows the user to select their SELinux context from a list of authorized contexts. This typically requires the pam_sepermit.so module to be loaded in the PAM stack.
force_selection
Forces context selection even if the sepermit module is not present or configured, potentially leading to unexpected behavior if not handled correctly by the PAM stack.
env=<variable>=<value>
Sets an environment variable for the session. For example, env=HOME=/new/home could temporarily change the user's home directory variable.
selinux_users_path=<path>
Specifies an alternative directory path for the seusers file, overriding the default policy-specific path (e.g., /etc/selinux/targeted/seusers).
DESCRIPTION
The pam_selinux module is a Pluggable Authentication Module (PAM) designed to set the appropriate SELinux security context for a user's session upon login. It plays a crucial role in ensuring that users operate within their defined SELinux security boundaries.
When a user authenticates, pam_selinux consults the SELinux user mapping configuration (typically defined in /etc/selinux/
Beyond just setting the context, pam_selinux can also manage user home directories, including creating them if they don't exist and relabeling them to ensure they have the correct SELinux file contexts. This is vital for preventing security misconfigurations that could arise from incorrect labeling. It also offers options for debugging, strict enforcement, and conditional behavior based on the service initiating the session, making it a flexible component for integrating SELinux into system access controls.
CAVEATS
The pam_selinux module relies heavily on a properly configured SELinux environment and policy. Incorrect or missing SELinux user mappings in seusers(5) can lead to unexpected denials or the inability for users to log in if allow_unknown is not used. When using options like relabel or fs_create, ensure that the system has sufficient permissions and that the underlying filesystem supports SELinux labeling. Conflicts can arise if other PAM modules perform similar actions (e.g., pam_mkhomedir) without proper coordination. The select_context option requires the pam_sepermit.so module to function correctly, and its absence or misconfiguration can prevent users from choosing their contexts.
MODULE TYPE
pam_selinux is primarily configured as a session module in the PAM stack. This means it is invoked after successful authentication to establish and manage the user's SELinux context for the duration of their session. While it mostly affects the session phase, some of its options (like strict or allow_unknown) can indirectly influence the success of the authentication or account phases.
SELINUX USER MAPPING
This module determines the SELinux context for a system user by consulting the seusers database (typically /etc/selinux/
HISTORY
pam_selinux is an integral part of the SELinux userspace tools, which were developed to provide Mandatory Access Control (MAC) capabilities to Linux. Its development closely tracks the evolution of SELinux itself, aiming to seamlessly integrate SELinux context management into the standard PAM authentication and session management framework. It has been a core component for enforcing user-specific security contexts from the early days of SELinux adoption in major Linux distributions like Fedora and Red Hat Enterprise Linux.
SEE ALSO
pam(8), selinux(8), seusers(5), setexeccon(3), pam_mkhomedir(8), pam_sepermit(8)
