pam_secpol
Determines the type that should be associated with the user and switches to it if a security policy is loaded.
Syntax:
facility control_flag pam_secpol.so [verbose] [config=path] [allow_no_policy]
Options:
- verbose
- Perform additional logging.
- config=path
- Read the user-to-type mapping from path instead of /etc/pam_secpol_users.
- allow_no_policy
- Allow the pam_secpol module to be used when no security policy is loaded. If no policy is loaded, the module does not switch types and does not need to be removed.
Description:
The security policy relies on the use of types. Use the pam_secpol module to switch the type associated with a user's shell when they log in to a system. The module switches the user to another type based which user is being authenticated and a configuration file. If the type change fails, the module returns an error and the session is terminated. The pam_secpol module operates post-authentication, during the session creation stage.
Without this module, when you log in to a system that uses a security policy via ssh, or similar access method, the type ID associated with your shell is the same as that of the parent service (e.g., sshd).
The PAM module syntax does not stand alone and is contained within the context of the PAM configuration command. See the System Security Guide for more information about system authentication, configuring PAM, facilities, control flags, examples, and how QNX OS uses the OpenPAM framework.
Configuration file
The pam_secpol module uses a configuration file to map user names to type names.
By default, the module looks for the file in /etc/pam_secpol_users. You can change the filepath with the module's config option. The configuration file must be owned by root and have no group or world write access.
Each line of the pam_secpol configuration file uses the following format:
user:type
where:
- user is either a user name or an asterisk (*) that indicates that the type is associated with any user. If you use an asterisk, make sure it is the last line in the file because pam_secpol stops searching after it finds a match.
- type is a security policy type that is defined in the security policy file (you can generate all the required types for the file using secpol_generate). Alternatively, you can specify a hyphen (-), which indicates that pam_secpol should check the policy to see if a type can be derived from the current type and the user name. The example below illustrate how derived types work.
There is no default pam_secpol configuration file. If you do not specify one, pam_secpol behaves as if there is a file that contains the following single line, which indicates that all type changes are based on derived types:
*:-
The security policy may require additional lines to support the pam_secpol configuration file and should take into consideration what might happen if the abilities for all types in the configuration file are combined.
Example:
The following example configuration file specifies the types to switch to:
root:user_root_t
user1:user_user1_t
user2:user_user2_t
-
When the user logs in, its type is sshd_t.
-
The configuration file contains the following line:
root:-
-
The security policy contains the following line:
derive_type sshd_t root ssh_root;
The security policy file also needs to give the server process through which you are logging in (for example, sshd) the ability to switch to all of the types appearing in the pam_secpol configuration file:
allow sshd_t self:ability {
settypeid:ssh_root,user_user1_t,user_user2_t
};
Giving
sshd the ability to switch to these types is similar, from a
security point of view, to giving sshd the union of the capabilities
of all these types.Service category:
This module belongs to the session PAM service category.
Exit status:
If no policy is loaded, the pam_secpol module returns success if the allow_no_policy option has been specified; otherwise, it returns failure.- The pam_secpol configuration file is not accessible.
- The pam_secpol configuration file is not owned by root or has group or world write access.
- The user is not contained in the configuration file.
- The type corresponding to the user is not defined by the default security policy file, /proc/boot/secpol.bin.
- The call to switch types to the type associated with the user fails.
Otherwise, it returns success.