Change references to pam_selinux_permit to pam_sepermit Replace gdm-password with sshd PAM configuration (from Fedora 33) as pam_sepermit in the existing example might not always work correctly when called from the auth section: https://bugzilla.redhat.com/show_bug.cgi?id=1492313 Reference the pam_selinux(8) and pam_sepermit(8) manuals Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx> --- src/pam_login.md | 50 ++++++++++++++++++++++-------------------------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/src/pam_login.md b/src/pam_login.md index 0c5a256..213a9f3 100644 --- a/src/pam_login.md +++ b/src/pam_login.md @@ -68,41 +68,37 @@ consist of multiple lines of information that are formatted as follows: </tbody> </table> -The */etc/pam.d/gdm-password* PAM configuration file for the Gnome login +The */etc/pam.d/sshd* PAM configuration file for the OpenSSH service is as follows: ``` -auth [success=done ignore=ignore default=bad] pam_selinux_permit.so -auth substack password-auth -auth optional pam_gnome_keyring.so -auth include postlogin - -account required pam_nologin.so -account include password-auth - -password substack password-auth --password optional pam_gnome_keyring.so use_authtok - -session required pam_selinux.so close -session required pam_loginuid.so -session optional pam_console.so -session required pam_selinux.so open -session optional pam_keyinit.so force revoke -session required pam_namespace.so -session include password-auth -session optional pam_gnome_keyring.so auto_start -session include postlogin +#%PAM-1.0 + +auth substack password-auth +auth include postlogin +account required pam_sepermit.so +account required pam_nologin.so +account include password-auth +password include password-auth +session required pam_selinux.so close +session required pam_loginuid.so +session required pam_selinux.so open +session required pam_namespace.so +session optional pam_keyinit.so force revoke +session optional pam_motd.so +session include password-auth +session include postlogin ``` The core services are provided by PAM, however other library modules can be written to manage specific services such as support for SELinux. The -SELinux PAM modules use the *libselinux* API to obtain its configuration -information and the three SELinux PAM entries highlighted in the above -configuration file perform the following functions: +***pam_sepermit**(8)* and ***pam_selinux**(8)* SELinux PAM modules use +the *libselinux* API to obtain its configuration information and the +three SELinux PAM entries highlighted in the above configuration file +perform the following functions: -- ***pam_selinux_permit.so*** - Allows pre-defined users the ability to - logon without a password provided that SELinux is in enforcing mode (see - the +- ***pam_sepermit.so*** - Allows pre-defined users the ability to + logon provided that SELinux is in enforcing mode (see the [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf) section). - ***pam_selinux.so open*** - Allows a security context to be set up for -- 2.27.0
