PAM_TSOL_ACCOUNT(7) Standards, Environments, and Macros PAM_TSOL_ACCOUNT(7)

NAME


pam_tsol_account - PAM account management module for Trusted
Extensions

SYNOPSIS


pam_tsol_account.so.1


DESCRIPTION


The Trusted Extensions service module for PAM, pam_tsol_account.so.1,
checks account limitations that are related to labels.


pam_tsol_account.so.1 contains a function to perform account
management, pam_sm_acct_mgmt(3PAM). The function checks for the
allowed label range for the user. The allowable label range is set
by the defaults in the label_encodings(5) file. These defaults can be
overridden by entries in the user_attr(5) database.


By default, this module requires that remote hosts connecting to the
global zone must have a CIPSO host type. To disable this policy, add
the allow_unlabeled keyword as an option to the entry in pam.conf(5),
as in:

other account required pam_tsol_account allow_unlabeled


OPTIONS


The following options can be passed to the module:

allow_unlabeled
Allows remote connections from hosts with
unlabeled template types.


debug
Provides debugging information at the LOG_DEBUG
level. See syslog(3C).


RETURN VALUES


The following values are returned:

PAM_SUCCESS
The account is valid for use at this time and
label.


PAM_PERM_DENIED
The current process label is outside the user's
label range, or the label information for the
process is unavailable, or the remote host type is
not valid.


Other values
Returns an error code that is consistent with
typical PAM operations. For information on error-
related return values, see the pam(3PAM) man page.


ATTRIBUTES


See attributes(7) for description of the following attributes:


+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Committed |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+


The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.

SEE ALSO


keylogin(1), syslog(3C), libpam(3LIB), pam(3PAM),
pam_sm_acct_mgmt(3PAM), pam_start(3PAM), label_encodings(5),
pam.conf(5), user_attr(5), attributes(7)

NOTES


The functionality described on this manual page is available only if
the system is configured with Trusted Extensions.

August 19, 2023 PAM_TSOL_ACCOUNT(7)
tribblix@gmail.com :: GitHub :: Privacy