From SELinux Wiki
Revision as of 20:48, 13 September 2010 by Jaxelson (Talk | contribs)

Jump to: navigation, search

PAM Login Process

Applications used to provide login services (such as gdm and ssh) in F-12 use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services:

Account Management - This manages services such as password expiry, service entitlement (i.e. what services the login process is allowed to access).
Authentication Management - Authenticate the user or subject and set up the credentials. PAM can handle a variety of devices including smart-cards and biometric devices.
Password Management - Manages password updates as needed by the specific authentication mechanism being used and the password policy.
Session Management - Manages any services that must be invoked before the login process completes and / or when the login process terminates. For SELinux this is where hooks are used to manage the domains the subject may enter.

The pam and pam.conf man pages describe the services and configuration in detail and only a summary is provided here covering the SELinux services.

The PAM configuration for F-12 is managed by a number of files located in the /etc/pam.d directory which has configuration files for login services such as: gdm, gdm-autologin, login, remote and sshd, and at various points in this Notebook the gdm configuration file has been modified to allow root login and the pam_namespace.so module used to manage polyinstantiated directories for users.

There are also a number of PAM related configuration files in /etc/security, although only one is directly related to SELinux that is described in the /etc/security/sepermit.conf File section of the Global Configuration Files.

The main login service related PAM configuration files (e.g. gdm) consist of multiple lines of information that are formatted as follows:

service type control module-path arguments


service The service name such as gdm and login reflecting the login application. If there is a /etc/pam.d directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called /etc/pam.conf can be used. F-12 uses the /etc/pam.d configuration.
type These are the management groups used by PAM with valid entries being: account, auth, password and session that correspond to the descriptions given above. Where there are multiple entries of the same "type", the order they appear could be significant.
control This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as required, optional, and include; or multiple space separated entries enclosed in square brackets consisting of :
   [value1=action1 value2=action2 ..]

Both formats are shown in the example file below, however see the pam.conf man pages for the gory details.

module-path Either the full path name of the module or its location relative to /lib/security (but does depend on the system architecture).
arguments A space separated list of the arguments that are defined for the module.

An example PAM configuration file is as follows, although note that the "service" parameter is actually the file name because F-12 uses the /etc/pam.d directory configuration (in this case gdm for the Gnome login service).

# /etc/pam.d/gdm configuration rule entry. 
# SERVICE = file name (gdm) 

# TYPE   CONTROL  PATH                  ARGUMENTS
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
# auth   required pam_succeed_if.so     user != root quiet
auth     required pam_env.so
auth     substack system-auth
auth     optional pam_gnome_keyring.so
account  required pam_nologin.so
account  include  system-auth
password include  system-auth
session  required pam_selinux.so        close
session  required pam_loginuid.so
session  optional pam_console.so
session  required pam_selinux.so        open
session  optional pam_keyinit.so        force revoke
session  required pam_namespace.so
session  optional pam_gnome_keyring.so  auto_start
session  include  system-auth

The core services are provided by PAM, however other library modules can be written to manage specific services such as support for SELinux. The SELinux PAM modules use the libselinux API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions:

pam_selinux_permit.so - Allows pre-defined users the ability to logon without a password provided that SELinux is in enforcing mode (see the /etc/security/sepermit.conf File section of the Global Configuration Files).
pam_selinux.so open - Allows a security context to be set up for the user at initial logon (as all programs exec'ed from here will use this context). How the context is retrieved is described in the seusers file section of the Policy Configuration Files.
pam_selinux.so close - This will reset the login programs context to the context defined in the policy.