Layer: system

Module: authlogin

Description:

Common policy for authentication and user login.

Interfaces:

auth_append_faillog(
	
		domain
		
	)

Summary

Append to the login failure log.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_append_lastlog(
	
		domain
		
	)

Summary

Append only to the last logins log.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_append_login_records(
	
		domain
		
	)

Summary

Append to login records (wtmp).

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_can_read_shadow_passwords(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_delete_pam_console_data(
	
		domain
		
	)

Summary

Delete pam_console data.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_delete_pam_pid(
	
		domain
		
	)

Summary

Delete pam PID files.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_domtrans_chk_passwd(
	
		domain
		
	)

Summary

Run unix_chkpwd to check a password.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_domtrans_login_program(
	
		domain
		
			,
		
		target_domain
		
	)

Summary

Execute a login_program in the target domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No
target_domain	The type of the login_program process.	No

auth_domtrans_pam(
	
		domain
		
	)

Summary

Execute pam programs in the pam domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_domtrans_pam_console(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_domtrans_utempter(
	
		domain
		
	)

Summary

Execute utempter programs in the utempter domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_dontaudit_exec_utempter(
	
		domain
		
	)

Summary

Do not audit attemps to execute utempter executable.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

auth_dontaudit_getattr_shadow(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of the shadow passwords file.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

auth_dontaudit_read_pam_pid(
	
		domain
		
	)

Summary

Do not audit attemps to read PAM pid files.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

auth_dontaudit_read_shadow(
	
		domain
		
	)

Summary

Do not audit attempts to read the shadow password file (/etc/shadow).

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain to not audit.	No

auth_dontaudit_write_login_records(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_exec_pam(
	
		domain
		
	)

Summary

Execute the pam program.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_getattr_shadow(
	
		domain
		
	)

Summary

Get the attributes of the shadow passwords file.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_list_pam_console_data(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_log_filetrans_login_records(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_login_entry_type(
	
		domain
		
	)

Summary

Use the login program as an entry point program.

Parameters

Parameter:	Description:	Optional:
domain	The type of process using the login program as entry point.	No

auth_manage_all_files_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Manage all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain perfoming this action.	No
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.	Yes

auth_manage_login_records(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_manage_pam_console_data(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_manage_pam_pid(
	
		domain
		
	)

Summary

Manage pam PID files.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_manage_shadow(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_manage_var_auth(
	
		domain
		
	)

Summary

Manage var auth files. Used by various other applications and pam applets etc.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_read_all_dirs_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all directories on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain perfoming this action.	No
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.	Yes

auth_read_all_files_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain perfoming this action.	No
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.	Yes

auth_read_all_symlinks_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all symbolic links on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain perfoming this action.	No
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.	Yes

auth_read_lastlog(
	
		domain
		
	)

Summary

Read the last logins log.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_read_login_records(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_read_pam_console_data(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_read_pam_pid(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_read_shadow(
	
		domain
		
	)

Summary

Read the shadow passwords file (/etc/shadow)

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_relabel_all_files_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Relabel all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain perfoming this action.	No
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.	Yes

auth_relabel_shadow(
	
		domain
		
	)

Summary

Relabel from and to the shadow password file type.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_relabelto_shadow(
	
		domain
		
	)

Summary

Relabel to the shadow password file type.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_run_pam(
	
		domain
		
			,
		
		role
		
			,
		
		terminal
		
	)

Summary

Execute pam programs in the PAM domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No
role	The role to allow the PAM domain.	No
terminal	The type of the terminal allow the PAM domain to use.	No

auth_run_utempter(
	
		domain
		
			,
		
		role
		
			,
		
		terminal
		
	)

Summary

Execute utempter programs in the utempter domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No
role	The role to allow the utempter domain.	No
terminal	The type of the terminal allow the utempter domain to use.	No

auth_rw_faillog(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_rw_lastlog(
	
		domain
		
	)

Summary

Read and write to the last logins log.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_rw_login_records(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_rw_shadow(
	
		domain
		
	)

Summary

Read and write the shadow password file (/etc/shadow).

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_search_pam_console_data(
	
		domain
		
	)

Summary

Search the contents of the pam_console data directory.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

auth_setattr_login_records(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_tunable_read_shadow(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

auth_unconfined(
	
		domain
		
	)

Summary

Unconfined access to the authlogin module.

Description

Unconfined access to the authlogin module.

Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_use_nsswitch(
	
		domain
		
	)

Summary

Use nsswitch to look up uid-username mappings.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

auth_write_login_records(
	
		domain
		
	)

Summary

Write to login records (wtmp).

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

Return

Templates:

auth_domtrans_user_chk_passwd(
	
		userdomain_prefix
		
			,
		
		domain
		
	)

Summary

Run unix_chkpwd to check a password for a user domain.

Description

Run unix_chkpwd to check a password for a user domain.

This is a templated interface, and should only be called from a per-userdomain template.

Parameters

Parameter:	Description:	Optional:
userdomain_prefix	The prefix of the user domain (e.g., user is the prefix for user_t).	No
domain	The type of the process performing this action.	No

authlogin_common_auth_domain_template(
	
		userdomain_prefix
		
	)

Summary

Common template to create a domain for authentication.

Description

This template creates a derived domain which is allowed to authenticate users by using PAM unix_chkpwd support.

Parameters

Parameter:	Description:	Optional:
userdomain_prefix	The prefix of the user domain (e.g., user is the prefix for user_t).	No

authlogin_per_userdomain_template(
	
		userdomain_prefix
		
			,
		
		user_domain
		
			,
		
		user_role
		
	)

Summary

The per user domain template for the authlogin module.

Description

This template creates a derived domain which is allowed to authenticate users by using PAM unix_chkpwd support. This domain will be used by any programs running in the user domain which use PAM to authenticate.

This template is invoked automatically for each user, and generally does not need to be invoked directly by policy writers.

Parameters

Parameter:	Description:	Optional:
userdomain_prefix	The prefix of the user domain (e.g., user is the prefix for user_t).	No
user_domain	The type of the user domain.	No
user_role	The role associated with the user domain.	No

Return