'\" t
.\"     Title: pam_selinux
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 08/31/2010
.\"    Manual: Linux-PAM Manual
.\"    Source: Linux-PAM Manual
.\"  Language: English
.\"
.TH "PAM_SELINUX" "8" "08/31/2010" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_selinux \- PAM module to set the default security context
.SH "SYNOPSIS"
.HP \w'\fBpam_selinux\&.so\fR\ 'u
\fBpam_selinux\&.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [env_params] [use_current_range]
.SH "DESCRIPTION"
.PP
In a nutshell, pam_selinux sets up the default security context for the next execed shell\&.
.PP
When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\&. Also the controlling tty will have it\*(Aqs security context modified to match the users\&.
.PP
Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\&. The close and open option help mitigate this problem\&. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\&. You can add pam_selinux to the config file twice\&. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\&. When PAM executes the close pass through the modules pam_selinux close_session will happen first\&.
.SH "OPTIONS"
.PP
\fBclose\fR
.RS 4
Only execute the close_session portion of the module\&.
.RE
.PP
\fBdebug\fR
.RS 4
Turns on debugging via
\fBsyslog\fR(3)\&.
.RE
.PP
\fBopen\fR
.RS 4
Only execute the open_session portion of the module\&.
.RE
.PP
\fBnottys\fR
.RS 4
Do not try to setup the ttys security context\&.
.RE
.PP
\fBverbose\fR
.RS 4
attempt to inform the user when security context is set\&.
.RE
.PP
\fBselect_context\fR
.RS 4
Attempt to ask the user for a custom security context role\&. If MLS is on ask also for sensitivity level\&.
.RE
.PP
\fBenv_params\fR
.RS 4
Attempt to obtain a custom security context role from PAM environment\&. If MLS is on obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are
\fISELINUX_ROLE_REQUESTED\fR,
\fISELINUX_LEVEL_REQUESTED\fR, and
\fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&.
.RE
.PP
\fBuse_current_range\fR
.RS 4
Use the sensitivity level of the current process for the user context instead of the default level\&. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
Only the
\fBsession\fR
module type is provided\&.
.SH "RETURN VALUES"
.PP
PAM_AUTH_ERR
.RS 4
Unable to get or set a valid context\&.
.RE
.PP
PAM_SUCCESS
.RS 4
The security context was set successfully\&.
.RE
.PP
PAM_USER_UNKNOWN
.RS 4
The user is not known to the system\&.
.RE
.SH "EXAMPLES"
.sp
.if n \{\
.RS 4
.\}
.nf
auth     required  pam_unix\&.so
session  required  pam_permit\&.so
session  optional  pam_selinux\&.so
    
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP

\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(7)
.SH "AUTHOR"
.PP
pam_selinux was written by Dan Walsh <dwalsh@redhat\&.com>\&.