Common policy for authentication and user login.
false
Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
true
Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
Append to the login failure log.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Append only to the last logins log.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Append to login records (wtmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Pass shadow assertion for reading.
Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create fail log lock (in /run/faillock).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create pam var console pid directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete pam_console data.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete pam runtime files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Run unix_chkpwd to check a password.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Run unix_chkpwd to check a password. Stripped down version to be called within boolean
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute a login_program in the target domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the login_program process. |
Execute pam programs in the pam domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute pam_console with a domain transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute a domain transition to run unix_update.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute utempter programs in the utempter domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Do not audit attempts to execute utempter executable.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the shadow passwords file.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read login records files (/var/log/wtmp).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read PAM runtime files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the shadow password file (/etc/shadow).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write to login records files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Automatic transition from etc to shadow.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
name |
The name of the object being created. |
Execute the pam program.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the shadow passwords file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of the pam_console data directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create a login records in the log directory using a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Use the login program as an entry point program.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified domain used for a login program.
Parameter: | Description: |
---|---|
domain |
Domain type used for a login program domain. |
Manage authentication cache
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage the login failure logs.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage the last logins log.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete login records files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete pam_console data files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage pam runtime dirs.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete pam runtime files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the shadow password file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage var auth files. Used by various other applications and pam applets etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Map the shadow passwords file (/etc/shadow)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a login_program in the target domain, with a range transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the login_program process. |
range |
Range of the login program. |
Read authentication cache
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the last logins log.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read login records files (/var/log/wtmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read pam_console data files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files in /run/motd.d directory
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read PAM runtime files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the shadow passwords file (/etc/shadow)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read var auth files. Used by various other applications and pam applets etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
relabel the last logins log.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel login record files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel pam_console data directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel from and to the shadow password file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel to the shadow password file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute chkpwd programs in the chkpwd domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
The role to allow the chkpwd domain. |
Execute pam programs in the PAM domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
The role to allow the PAM domain. |
Execute updpwd programs in the updpwd domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
The role to allow the updpwd domain. |
Execute utempter programs in the utempter domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
The role to allow the utempter domain. |
Create specified objects in pid directories with the pam runtime file type using a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
object_class |
Class of the object being created. |
name |
The name of the object being created. |
Create specified objects in generic runtime directories with the pam var console runtime file type using a file type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
object_class |
Class of the object being created. |
name |
The name of the object being created. |
Read/Write authentication cache
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the login failure log.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to the last logins log.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write login records.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the shadow password file (/etc/shadow).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read/Write shadow lock files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write var auth files. Used by various other applications and pam applets etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search authentication cache
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of the pam_console data directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Setattr the login failure logs.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of login record files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send generic signals to pam processes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the shadow password file.
Read the shadow password file. This should only be used in a conditional; it does not pass the reading shadow assertion.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Unconfined access to the authlogin module.
Unconfined access to the authlogin module.
Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Use nsswitch to look up user, password, group, or host information.
Allow the specified domain to look up user, password, group, or host information using the name service. The most common use of this interface is for services that do host name resolution (usually DNS resolution).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Use PAM for authentication.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Use the pam module motd with dynamic support during authentication. This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071) and was added to Debian (https://sources.debian.org/src/pam/1.3.1-5/debian/patches-applied/update-motd/)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Use the pam module systemd during authentication.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Automatic transition from cache_t to cache.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write to login records (wtmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write files in /run/motd.d directory
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Role access for password authentication.
Parameter: | Description: |
---|---|
role_prefix |
The prefix of the user role (e.g., user is the prefix for user_r). |
user_domain |
User domain for the role. |
user_exec_domain |
User exec domain for execute and transition access. |
role |
Role allowed access |