Layer: system

Module: authlogin

Tunables Interfaces

Description:

Common policy for authentication and user login.

Tunables:

authlogin_nsswitch_use_ldap

Default value

false

Description

Allow users to resolve user passwd entries directly from ldap rather then using a sssd server

Return

Interfaces:

auth_append_faillog(
	
		domain
		
	)

Summary

Append to the login failure log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_append_lastlog(
	
		domain
		
	)

Summary

Append only to the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_append_login_records(
	
		domain
		
	)

Summary

Append to login records (wtmp).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_can_read_shadow_passwords(
	
		domain
		
	)

Summary

Pass shadow assertion for reading.

Description

Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_create_pam_console_data_dirs(
	
		domain
		
	)

Summary

Create pam var console pid directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_delete_pam_console_data(
	
		domain
		
	)

Summary

Delete pam_console data.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_delete_pam_pid(
	
		domain
		
	)

Summary

Delete pam PID files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_domtrans_chk_passwd(
	
		domain
		
	)

Summary

Run unix_chkpwd to check a password.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_chkpwd(
	
		domain
		
	)

Summary

Run unix_chkpwd to check a password. Stripped down version to be called within boolean

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_login_program(
	
		domain
		
			,
		
		target_domain
		
	)

Summary

Execute a login_program in the target domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the login_program process.

auth_domtrans_pam(
	
		domain
		
	)

Summary

Execute pam programs in the pam domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_pam_console(
	
		domain
		
	)

Summary

Execute pam_console with a domain transition.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_upd_passwd(
	
		domain
		
	)

Summary

Execute a domain transition to run unix_update.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_utempter(
	
		domain
		
	)

Summary

Execute utempter programs in the utempter domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_dontaudit_exec_utempter(
	
		domain
		
	)

Summary

Do not audit attemps to execute utempter executable.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_getattr_shadow(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of the shadow passwords file.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_read_login_records(
	
		domain
		
	)

Summary

Do not audit attempts to read login records files (/var/log/wtmp).

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_read_pam_pid(
	
		domain
		
	)

Summary

Do not audit attemps to read PAM PID files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_read_shadow(
	
		domain
		
	)

Summary

Do not audit attempts to read the shadow password file (/etc/shadow).

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_write_login_records(
	
		domain
		
	)

Summary

Do not audit attempts to write to login records files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_etc_filetrans_shadow(
	
		domain
		
	)

Summary

Automatic transition from etc to shadow.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_exec_pam(
	
		domain
		
	)

Summary

Execute the pam program.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_file(
	
		type
		
	)

Summary

Make the specified type usable as a login file.

Description

Make the specified type usable as a login file, This type has restricted modification capabilities when used with other interfaces that permit files_type access. The default type has properties similar to that of the shadow file. This will also make the type usable as a security file, making calls to files_security_file() redundant.

Parameters

Parameter:	Description:
type	Type to be used as a login file.

auth_getattr_shadow(
	
		domain
		
	)

Summary

Get the attributes of the shadow passwords file.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_list_pam_console_data(
	
		domain
		
	)

Summary

List the contents of the pam_console data directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_log_filetrans_login_records(
	
		domain
		
	)

Summary

Create a login records in the log directory using a type transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_login_entry_type(
	
		domain
		
	)

Summary

Use the login program as an entry point program.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_login_pgm_domain(
	
		domain
		
	)

Summary

Make the specified domain used for a login program.

Parameters

Parameter:	Description:
domain	Domain type used for a login program domain.

auth_manage_all_files_except_auth_files(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Manage all files on the filesystem, except login files passwords and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_manage_all_files_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Manage all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_manage_cache(
	
		domain
		
	)

Summary

Manage authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_login_records(
	
		domain
		
	)

Summary

Create, read, write, and delete login records files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_pam_console_data(
	
		domain
		
	)

Summary

Create, read, write, and delete pam_console data files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_pam_pid(
	
		domain
		
	)

Summary

Manage pam PID files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_shadow(
	
		domain
		
	)

Summary

Create, read, write, and delete the shadow password file.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_var_auth(
	
		domain
		
	)

Summary

Manage var auth files. Used by various other applications and pam applets etc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_pid_filetrans_pam_var_console(
	
		domain
		
			,
		
		object_class
		
			,
		
		name
		
	)

Summary

Create specified objects in pid directories with the pam var console pid file type using a file type transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object_class	Class of the object being created.
name	The name of the object being created.

auth_ranged_domtrans_login_program(
	
		domain
		
			,
		
		target_domain
		
			,
		
		range
		
	)

Summary

Execute a login_program in the target domain, with a range transition.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the login_program process.
range	Range of the login program.

auth_read_all_dirs_except_auth_files(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all directories on the filesystem, except login files and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_read_all_dirs_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all directories on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_read_all_files_except_auth_files(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all files on the filesystem, except login files and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_read_all_files_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_read_all_symlinks_except_auth_files(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all symbolic links on the filesystem, except login files and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_read_all_symlinks_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read all symbolic links on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_read_cache(
	
		domain
		
	)

Summary

Read authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_lastlog(
	
		domain
		
	)

Summary

Read the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_login_records(
	
		domain
		
	)

Summary

Read login records files (/var/log/wtmp).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_pam_console_data(
	
		domain
		
	)

Summary

Read pam_console data files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_pam_pid(
	
		domain
		
	)

Summary

Read PAM PID files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_shadow(
	
		domain
		
	)

Summary

Read the shadow passwords file (/etc/shadow)

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_var_auth(
	
		domain
		
	)

Summary

Read var auth files. Used by various other applications and pam applets etc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabel_all_files_except_auth_files(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Relabel all files on the filesystem, except login files and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_relabel_all_files_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Relabel all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_relabel_login_records(
	
		domain
		
	)

Summary

Relabel login record files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabel_pam_console_data_dirs(
	
		domain
		
	)

Summary

Relabel pam_console data directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabel_shadow(
	
		domain
		
	)

Summary

Relabel from and to the shadow password file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabelto_shadow(
	
		domain
		
	)

Summary

Relabel to the shadow password file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_role(
	
		role
		
			,
		
		domain
		
	)

Summary

Role access for password authentication.

Parameters

Parameter:	Description:
role	Role allowed access.
domain	Domain allowed access.

auth_run_chk_passwd(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute chkpwd programs in the chkpwd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the chkpwd domain.

auth_run_pam(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute pam programs in the PAM domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the PAM domain.

auth_run_upd_passwd(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute updpwd programs in the updpwd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the updpwd domain.

auth_run_utempter(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute utempter programs in the utempter domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the utempter domain.

auth_rw_all_files_except_auth_files(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read and write all files on the filesystem, except login files and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_rw_all_files_except_shadow(
	
		domain
		
			,
		
		exception_types
		
	)

Summary

Read and write all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters

Parameter:	Description:
domain	Domain allowed access.
exception_types	The types to be excluded. Each type or attribute must be negated by the caller.

auth_rw_cache(
	
		domain
		
	)

Summary

Read/Write authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_faillog(
	
		domain
		
	)

Summary

Read and write the login failure log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_lastlog(
	
		domain
		
	)

Summary

Read and write to the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_login_records(
	
		domain
		
	)

Summary

Read and write login records.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_shadow(
	
		domain
		
	)

Summary

Read and write the shadow password file (/etc/shadow).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_var_auth(
	
		domain
		
	)

Summary

Read and write var auth files. Used by various other applications and pam applets etc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_search_cache(
	
		domain
		
	)

Summary

Search authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_search_pam_console_data(
	
		domain
		
	)

Summary

Search the contents of the pam_console data directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_setattr_login_records(
	
		domain
		
	)

Summary

Set the attributes of login record files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_signal_pam(
	
		domain
		
	)

Summary

Send generic signals to pam processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_tunable_read_shadow(
	
		domain
		
	)

Summary

Read the shadow password file.

Description

Read the shadow password file. This should only be used in a conditional; it does not pass the reading shadow assertion.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_unconfined(
	
		domain
		
	)

Summary

Unconfined access to the authlogin module.

Description

Unconfined access to the authlogin module.

Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_use_nsswitch(
	
		domain
		
	)

Summary

Use nsswitch to look up user, password, group, or host information.

Description

Allow the specified domain to look up user, password, group, or host information using the name service. The most common use of this interface is for services that do host name resolution (usually DNS resolution).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_use_pam(
	
		domain
		
	)

Summary

Use PAM for authentication.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_var_filetrans_cache(
	
		domain
		
	)

Summary

Automatic transition from cache_t to cache.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_write_login_records(
	
		domain
		
	)

Summary

Write to login records (wtmp).

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return