pam_selinux 命令

常用示例

说明

pam_selinux is a PAM module that sets the default SELinux security context for authenticated user sessions. It operates in two phases: open_session sets up the execution and controlling terminal security contexts, and close_session restores the previously saved contexts when the session ends. In a typical PAM configuration, this module is called twice -- once with close before other session modules, and once with open after them. This ensures that other modules run with the caller's context, while the user session receives the appropriate SELinux context.

参数

open

Execute only the open_session portion of the module, which sets the execution and terminal security contexts.

close

Execute only the close_session portion of the module, which restores previous security contexts.

restore

In open_session, temporarily restore security contexts as they were before the previous call of the module. Useful when open and close cannot be placed around other session modules.

nottys

Do not set the security context of the controlling terminal.

debug

Turn on debug messages via syslog(3).

verbose

Attempt to inform the user when the security context is set.

select_context

Prompt the user to select a custom role for the security context. Mutually exclusive with env_params.

env_params

Obtain a custom security context role from PAM environment variables (SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, SELINUX_USE_CURRENT_RANGE). Mutually exclusive with select_context.

use_current_range

Use the current process MLS sensitivity level rather than the default.