pam_sepermit

In PAM configuration files (e.g., /etc/pam.d/system-auth), pam_sepermit.so is typically used as follows:

module-type control-flag pam_sepermit.so

Where module-type is usually auth or account, and control-flag specifies the module's behavior (e.g., required, sufficient, optional). The module itself takes no specific arguments.

pam_sepermit is a Pluggable Authentication Module (PAM) designed to enforce SELinux policy during user authentication and session establishment. Its core function is to verify if the Linux user attempting to log in has a persistent SELinux user mapping defined in the system's SELinux policy. This persistent mapping is typically configured using the semanage login command. If a user does not have an explicit persistent SELinux user mapping, or if the module cannot retrieve it, pam_sepermit can be configured to deny the authentication or account access, ensuring that all authenticated users operate within a predefined and managed SELinux security context. This module is crucial for environments requiring strict SELinux enforcement, preventing users from inadvertently or intentionally logging in with an unmanaged or default context that might bypass security policies.

SELinux Dependency: Requires SELinux to be enabled and in enforcing mode for its checks to be meaningful.
User Mapping Requirement: Users must have explicit SELinux user mappings (e.g., configured via semanage login). Without proper mappings, users may be denied login.
Configuration Impact: Misconfiguration, especially when using required control flags, can lead to users being locked out of the system.
No Context Setting: This module checks for a persistent context; it does not set the SELinux context for the session. For setting the context, see pam_selinux(8).

The pam_sepermit module can be placed in different PAM module types:
auth stack: If placed here, it can deny authentication if the user's SELinux context is not persistent.
account stack: If placed here, it can deny access after successful authentication but before the session fully establishes, based on the persistent context check. This is often preferred as it allows for authentication failures to be handled separately.

For pam_sepermit to function correctly, SELinux users must be explicitly mapped to Linux users. This mapping is managed using the semanage login command. For example, to map a Linux user 'john' to an SELinux user 'user_u', one would use:
semanage login -a -s user_u -P john
The module checks against these persistent mappings to determine if a login is permitted.

It's important to differentiate pam_sepermit from pam_selinux. While both are SELinux-related PAM modules:
pam_sepermit: Checks for a persistent SELinux user mapping. It enforces that a user has a predefined SELinux identity.
pam_selinux: Sets the SELinux context for the session. It transitions the process to the correct domain based on the user's mapping. These modules often work in conjunction but serve distinct purposes.

The pam_sepermit module emerged as part of the broader SELinux ecosystem development, particularly to strengthen the security posture around user authentication and session management. Its introduction aimed to close potential gaps where users might log in without an explicitly defined SELinux user identity, thereby potentially operating outside of intended policy constraints. It became a standard component in distributions that extensively leverage SELinux for fine-grained access control.

pam(8), selinux(8), semanage(8), semanage-login(8), pam_selinux(8)