Common policy for authentication and user login.
Append to the login failure log.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Append only to the last logins log.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Append to login records (wtmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Pass shadow assertion for reading.
Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete pam_console data.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete pam PID files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Run unix_chkpwd to check a password.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a login_program in the target domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
target_domain |
The type of the login_program process. | No |
Execute pam programs in the pam domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute pam_console with a domain transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a domain transition to run unix_update.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed to transition. | No |
Execute utempter programs in the utempter domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attemps to execute utempter executable.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of the shadow passwords file.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attemps to read PAM PID files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to read the shadow password file (/etc/shadow).
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain to not audit. | No |
Do not audit attempts to write to login records files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Automatic transition from etc to shadow.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute the pam program.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of the shadow passwords file.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Make the specified domain a keyring domain
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain type used for a login program domain. | No |
List the contents of the pam_console data directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create a login records in the log directory using a type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Use the login program as an entry point program.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of process using the login program as entry point. | No |
Make the specified domain used for a login program.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain type used for a login program domain. | No |
Manage all files on the filesystem, except the shadow passwords and listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Create, read, write, and delete login records files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete pam_console data files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Manage pam PID files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete the shadow password file.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Manage var auth files. Used by various other applications and pam applets etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute a login_program in the target domain, with a range transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
target_domain |
The type of the login_program process. | No |
range |
Range of the login program. | No |
Read all directories on the filesystem, except the shadow passwords and listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Read all files on the filesystem, except the shadow passwords and listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Read all symbolic links on the filesystem, except the shadow passwords and listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
read login keyrings.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read the last logins log.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read login records files (/var/log/wtmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read pam_console data files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read PAM PID files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read the shadow passwords file (/etc/shadow)
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel all files on the filesystem, except the shadow passwords and listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Relabel from and to the shadow password file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel to the shadow password file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute chkpwd programs in the chkpwd domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
role |
The role to allow the updpwd domain. | No |
terminal |
The type of the terminal allow the updpwd domain to use. | No |
Execute pam programs in the PAM domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
role |
The role to allow the PAM domain. | No |
terminal |
The type of the terminal allow the PAM domain to use. | No |
Execute updpwd programs in the updpwd domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
role |
The role to allow the updpwd domain. | No |
terminal |
The type of the terminal allow the updpwd domain to use. | No |
Execute utempter programs in the utempter domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
role |
The role to allow the utempter domain. | No |
terminal |
The type of the terminal allow the utempter domain to use. | No |
Read and write the login failure log.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write to the last logins log.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write login records.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write the shadow password file (/etc/shadow).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
search login keyrings.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of the pam_console data directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Set the attributes of login record files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read the shadow password file.
Read the shadow password file. This should only be used in a conditional; it does not pass the reading shadow assertion.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Unconfined access to the authlogin module.
Unconfined access to the authlogin module.
Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Use nsswitch to look up uid-username mappings.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Write to login records (wtmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Run unix_chkpwd to check a password for a user domain.
Run unix_chkpwd to check a password for a user domain.
This is a templated interface, and should only be called from a per-userdomain template.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
domain |
Domain allowed access. | No |
Common template to create a domain for authentication.
This template creates a derived domain which is allowed to authenticate users by using PAM unix_chkpwd support.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
The per role template for the authlogin module.
This template creates a derived domain which is allowed to authenticate users by using PAM unix_chkpwd support. This domain will be used by any programs running in the user domain which use PAM to authenticate.
This template is invoked automatically for each user, and generally does not need to be invoked directly by policy writers.
Parameter: | Description: | Optional: |
---|---|---|
userdomain_prefix |
The prefix of the user domain (e.g., user is the prefix for user_t). | No |
user_domain |
The type of the user domain. | No |
user_role |
The role associated with the user domain. | No |