From SELinux Wiki
Jump to: navigation, search

PAM Login Process

Applications used to provide login services (such as gdm and ssh) in F-20 use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services:

Account Management - This manages services such as password expiry, service entitlement (i.e. what services the login process is allowed to access).
Authentication Management - Authenticate the user or subject and set up the credentials. PAM can handle a variety of devices including smart-cards and biometric devices.
Password Management - Manages password updates as needed by the specific authentication mechanism being used and the password policy.
Session Management - Manages any services that must be invoked before the login process completes and / or when the login process terminates. For SELinux this is where hooks are used to manage the domains the subject may enter.

The pam and pam.conf man pages describe the services and configuration in detail and only a summary is provided here covering the SELinux services.

The PAM configuration for F-20 is managed by a number of files located in the /etc/pam.d directory which has configuration files for login services such as: gdm, gdm-autologin, login, remote and sshd, and at various points in this Notebook the gdm configuration file has been modified to allow root login and the pam_namespace.so module used to manage polyinstantiated directories for users.

There are also a number of PAM related configuration files in /etc/security, although only one is directly related to SELinux that is described in the /etc/security/sepermit.conf file section.

The main login service related PAM configuration files (e.g. gdm) consist of multiple lines of information that are formatted as follows:

service type control module-path arguments


service The service name such as gdm and login reflecting the login application. If there is a /etc/pam.d directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called /etc/pam.conf can be used. F-20 uses the /etc/pam.d configuration.
type These are the management groups used by PAM with valid entries being: account, auth, password and session that correspond to the descriptions given above. Where there are multiple entries of the same 'type', the order they appear could be significant.
control This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as required, optional, and include; or multiple space separated entries enclosed in square brackets consisting of:
   [value1=action1 value2=action2 ..]

Both formats are shown in the example file below, however see the pam.conf man pages for the gory details.

module-path Either the full path name of the module or its location relative to /lib/security (but does depend on the system architecture).
arguments A space separated list of the arguments that are defined for the module.

An example PAM configuration file is as follows, although note that the 'service' parameter is actually the file name because F-20 uses the /etc/pam.d directory configuration (in this case gdm-password for the Gnome login service).

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin

account required pam_nologin.so
account include password-auth

password include password-auth

session required pam_selinux.so close debug
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open debug
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin

The core services are provided by PAM, however other library modules can be written to manage specific services such as support for SELinux. The SELinux PAM modules use the libselinux API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions:

pam_selinux_permit.so - Allows pre-defined users the ability to logon without a password provided that SELinux is in enforcing mode (see the /etc/security/sepermit.conf file section).
pam_selinux.so open - Allows a security context to be set up for the user at initial logon (as all programs exec'ed from here will use this context). How the context is retrieved is described in the seusers file section.
pam_selinux.so close - This will reset the login programs context to the context defined in the policy.