From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 07/13] pam_login: Convert to markdown
Date: Wed, 2 Sep 2020 14:17:32 +0100 [thread overview]
Message-ID: <20200902131738.18425-8-richard_c_haines@btinternet.com> (raw)
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
Convert to markdown.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/pam_login.md | 107 +++++++++++++++++++++++++----------------------
1 file changed, 56 insertions(+), 51 deletions(-)
diff --git a/src/pam_login.md b/src/pam_login.md
index 08e1599..2b30bff 100644
--- a/src/pam_login.md
+++ b/src/pam_login.md
@@ -4,21 +4,18 @@ Applications used to provide login services (such as ***ssh**(1)*) in
Fedora use the PAM (Pluggable Authentication Modules) infrastructure to
provide the following services:
-- **Account Management** - This manages services such as password expiry,
-service entitlement (i.e. what services the login process is allowed to
-access).
-
-- **Authentication Management** - Authenticate the user or subject and set
-up the credentials. PAM can handle a variety of devices including
-smart-cards and biometric devices.
-
-- **Password Management** - Manages password updates as needed by the
-specific authentication mechanism being used and the password policy.
-
-- **Session Management** - Manages any services that must be invoked
-before the login process completes and / or when the login process
-terminates. For SELinux this is where hooks are used to manage the
-domains the subject may enter.
+- **Account Management** - This manages services such as password expiry,
+ service entitlement (i.e. what services the login process is allowed to
+ access).
+- **Authentication Management** - Authenticate the user or subject and set
+ up the credentials. PAM can handle a variety of devices including
+ smart-cards and biometric devices.
+- **Password Management** - Manages password updates as needed by the
+ specific authentication mechanism being used and the password policy.
+- **Session Management** - Manages any services that must be invoked
+ before the login process completes and / or when the login process
+ terminates. For SELinux this is where hooks are used to manage the
+ domains the subject may enter.
The ***pam**(8)* and ***pam.conf**(5)* *man* pages describe the services and
configuration in detail and only a summary is provided here covering the
@@ -43,32 +40,40 @@ service type control module-path arguments
**Where:**
-<table>
-<tbody>
-<tr>
-<td>service</td>
-<td>The service name such as <em>gdm</em> and <em>login</em> reflecting the login application. If there is a <em>/etc/pam.d</em> directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called <em>/etc/pam.conf</em> can be used. Fedora uses the <em>/etc/pam.d</em> configuration.</td>
-</tr>
-<tr>
-<td>type</td>
-<td>These are the management groups used by PAM with valid entries being: <em>account</em>, <em>auth</em>, <em>password</em> and <em>session</em> that correspond to the descriptions given above. Where there are multiple entries of the same '<em>type</em>', the order they appear could be significant.</td>
-</tr>
-<tr>
-<td>control</td>
-<td><p>This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as <em>required</em>, <em>optional</em>, and <em>include</em>; or multiple space separated entries enclosed in square brackets consisting of :</p>
-<p> [value1=action1 value2=action2 ..]</p>
-<p>Both formats are shown in the example file below, however see the <em><strong>pam.conf</strong>(5)</em> man pages for the gory details. </p></td>
-</tr>
-<tr>
-<td>module-path</td>
-<td>Either the full path name of the module or its location relative to <em>/lib/security</em> (but does depend on the system architecture).</td>
-</tr>
-<tr>
-<td>arguments</td>
-<td>A space separated list of the arguments that are defined for the module.</td>
-</tr>
-</tbody>
-</table>
+*service*
+
+- The service name such as *gdm* and *login* reflecting the login application.
+ If there is a */etc/pam.d* directory, then this is the name of a
+ configuration file name under this directory. Alternatively, a
+ configuration file called */etc/pam.conf* can be used. Fedora uses the
+ */etc/pam.d* configuration.
+
+*type*
+
+- These are the management groups used by PAM with valid entries being:
+ *account*, *auth*, *password* and *session* that correspond to the
+ descriptions given above. Where there are multiple entries of the same
+ '*type*', the order they appear could be significant.
+
+*control*
+
+- This entry states how the module should behave when the requested task
+ fails. There can be two formats: a single keyword such as *required*,
+ *optional*, and *include*; or multiple space separated entries enclosed in
+ square brackets consisting of (see the ***pam.conf**(5)* man pages):
+
+```
+[value1=action1 value2=action2 ..]
+```
+
+*module-path*
+
+- Either the full path name of the module or its location relative to
+ */lib/security* (but does depend on the system architecture).
+
+*arguments*
+
+- A space separated list of the arguments that are defined for the module.
The */etc/pam.d/sshd* PAM configuration file for the OpenSSH
service is as follows:
@@ -99,17 +104,17 @@ the *libselinux* API to obtain its configuration information and the
three SELinux PAM entries highlighted in the above configuration file
perform the following functions:
-- ***pam_sepermit.so*** - Allows pre-defined users the ability to
- logon provided that SELinux is in enforcing mode (see the
- [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf)
- section).
-- ***pam_selinux.so open*** - Allows a security context to be set up for
- the user at initial logon (as all programs exec'ed from here will use
- this context). How the context is retrieved is described in the
- [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers)
- section.
+- ***pam_sepermit.so*** - Allows pre-defined users the ability to
+ logon provided that SELinux is in enforcing mode (see the
+ [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf)
+ section).
+- ***pam_selinux.so open*** - Allows a security context to be set up for
+ the user at initial logon (as all programs exec'ed from here will use
+ this context). How the context is retrieved is described in the
+ [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers)
+ section.
- ***pam_selinux.so close*** - This will reset the login programs context
- to the context defined in the policy.
+ to the context defined in the policy.
<!-- %CUTHERE% -->
--
2.26.2
next prev parent reply other threads:[~2020-12-07 11:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-02 13:17 [PATCH 00/13] SELinux Notebook: Convert batch 2 to markdown Richard Haines
2020-09-02 13:17 ` [PATCH 01/13] libselinux_functions: Convert " Richard Haines
2020-09-02 13:17 ` [PATCH 02/13] mac: Tidy formatting Richard Haines
2020-09-02 13:17 ` [PATCH 03/13] modular_policy_statements: Convert to markdown Richard Haines
2020-09-02 13:17 ` [PATCH 04/13] network_statements: " Richard Haines
2020-09-02 13:17 ` [PATCH 05/13] network_support: " Richard Haines
2020-09-02 13:17 ` [PATCH 06/13] objects: " Richard Haines
2020-09-02 13:17 ` Richard Haines [this message]
2020-09-02 13:17 ` [PATCH 08/13] policy_config_statements: " Richard Haines
2020-09-02 13:17 ` [PATCH 09/13] policy_languages: Tidy up Richard Haines
2020-09-02 13:17 ` [PATCH 10/13] policy_store_config_files: Add TOC and tidy up formatting Richard Haines
2020-09-02 13:17 ` [PATCH 11/13] polyinstantiation: Convert to markdown Richard Haines
2020-09-02 13:17 ` [PATCH 12/13] rbac: Minor format fix Richard Haines
2020-09-02 13:17 ` [PATCH 13/13] role_statements: Convert to markdown Richard Haines
2020-09-03 14:52 ` [PATCH 00/13] SELinux Notebook: Convert batch 2 " Paul Moore
2020-09-03 16:11 ` Richard Haines
2020-09-03 21:11 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200902131738.18425-8-richard_c_haines@btinternet.com \
--to=richard_c_haines@btinternet.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.