Layer: system

Module: authlogin

Tunables Interfaces Templates

Description:

Common policy for authentication and user login.

Tunables:

authlogin_nsswitch_use_ldap

Default value

false

Description

Allow users to resolve user passwd entries directly from ldap rather then using a sssd server

authlogin_pam

Default value

true

Description

Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.

Return

Interfaces:

auth_append_faillog(
	
		domain
		
	)

Summary

Append to the login failure log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_append_lastlog(
	
		domain
		
	)

Summary

Append only to the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_append_login_records(
	
		domain
		
	)

Summary

Append to login records (wtmp).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_can_read_shadow_passwords(
	
		domain
		
	)

Summary

Pass shadow assertion for reading.

Description

Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_create_faillog_files(
	
		domain
		
	)

Summary

Create fail log lock (in /run/faillock).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_create_pam_console_data_dirs(
	
		domain
		
	)

Summary

Create pam var console pid directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_delete_pam_console_data(
	
		domain
		
	)

Summary

Delete pam_console data.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_delete_pam_runtime_files(
	
		domain
		
	)

Summary

Delete pam runtime files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_domtrans_chk_passwd(
	
		domain
		
	)

Summary

Run unix_chkpwd to check a password.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_chkpwd(
	
		domain
		
	)

Summary

Run unix_chkpwd to check a password. Stripped down version to be called within boolean

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_login_program(
	
		domain
		
			,
		
		target_domain
		
	)

Summary

Execute a login_program in the target domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the login_program process.

auth_domtrans_pam(
	
		domain
		
	)

Summary

Execute pam programs in the pam domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_pam_console(
	
		domain
		
	)

Summary

Execute pam_console with a domain transition.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_upd_passwd(
	
		domain
		
	)

Summary

Execute a domain transition to run unix_update.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_domtrans_utempter(
	
		domain
		
	)

Summary

Execute utempter programs in the utempter domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

auth_dontaudit_exec_utempter(
	
		domain
		
	)

Summary

Do not audit attempts to execute utempter executable.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_getattr_shadow(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of the shadow passwords file.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_read_login_records(
	
		domain
		
	)

Summary

Do not audit attempts to read login records files (/var/log/wtmp).

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_read_pam_runtime_files(
	
		domain
		
	)

Summary

Do not audit attempts to read PAM runtime files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_read_shadow(
	
		domain
		
	)

Summary

Do not audit attempts to read the shadow password file (/etc/shadow).

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_dontaudit_write_login_records(
	
		domain
		
	)

Summary

Do not audit attempts to write to login records files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

auth_etc_filetrans_shadow(
	
		domain
		
			,
		
		name
		
	)

Summary

Automatic transition from etc to shadow.

Parameters

Parameter:	Description:
domain	Domain allowed access.
name	The name of the object being created.

auth_exec_pam(
	
		domain
		
	)

Summary

Execute the pam program.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_getattr_shadow(
	
		domain
		
	)

Summary

Get the attributes of the shadow passwords file.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_list_pam_console_data(
	
		domain
		
	)

Summary

List the contents of the pam_console data directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_log_filetrans_login_records(
	
		domain
		
	)

Summary

Create a login records in the log directory using a type transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_login_entry_type(
	
		domain
		
	)

Summary

Use the login program as an entry point program.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_login_pgm_domain(
	
		domain
		
	)

Summary

Make the specified domain used for a login program.

Parameters

Parameter:	Description:
domain	Domain type used for a login program domain.

auth_manage_cache(
	
		domain
		
	)

Summary

Manage authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_faillog(
	
		domain
		
	)

Summary

Manage the login failure logs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_lastlog(
	
		domain
		
	)

Summary

Manage the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_login_records(
	
		domain
		
	)

Summary

Create, read, write, and delete login records files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_pam_console_data(
	
		domain
		
	)

Summary

Create, read, write, and delete pam_console data files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_pam_runtime_dirs(
	
		domain
		
	)

Summary

Manage pam runtime dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_pam_runtime_files(
	
		domain
		
	)

Summary

Create, read, write, and delete pam runtime files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_shadow(
	
		domain
		
	)

Summary

Create, read, write, and delete the shadow password file.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_manage_var_auth(
	
		domain
		
	)

Summary

Manage var auth files. Used by various other applications and pam applets etc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_map_shadow(
	
		domain
		
	)

Summary

Map the shadow passwords file (/etc/shadow)

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_ranged_domtrans_login_program(
	
		domain
		
			,
		
		target_domain
		
			,
		
		range
		
	)

Summary

Execute a login_program in the target domain, with a range transition.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the login_program process.
range	Range of the login program.

auth_read_cache(
	
		domain
		
	)

Summary

Read authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_lastlog(
	
		domain
		
	)

Summary

Read the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_login_records(
	
		domain
		
	)

Summary

Read login records files (/var/log/wtmp).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_pam_console_data(
	
		domain
		
	)

Summary

Read pam_console data files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_pam_motd_files(
	
		domain
		
	)

Summary

Read files in /run/motd.d directory

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_pam_runtime_files(
	
		domain
		
	)

Summary

Read PAM runtime files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_shadow(
	
		domain
		
	)

Summary

Read the shadow passwords file (/etc/shadow)

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_read_var_auth(
	
		domain
		
	)

Summary

Read var auth files. Used by various other applications and pam applets etc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabel_lastlog(
	
		domain
		
	)

Summary

relabel the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabel_login_records(
	
		domain
		
	)

Summary

Relabel login record files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabel_pam_console_data_dirs(
	
		domain
		
	)

Summary

Relabel pam_console data directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabel_shadow(
	
		domain
		
	)

Summary

Relabel from and to the shadow password file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_relabelto_shadow(
	
		domain
		
	)

Summary

Relabel to the shadow password file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_run_chk_passwd(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute chkpwd programs in the chkpwd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the chkpwd domain.

auth_run_pam(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute pam programs in the PAM domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the PAM domain.

auth_run_upd_passwd(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute updpwd programs in the updpwd domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the updpwd domain.

auth_run_utempter(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute utempter programs in the utempter domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to allow the utempter domain.

auth_runtime_filetrans_pam_runtime(
	
		domain
		
			,
		
		object_class
		
			,
		
		name
		
	)

Summary

Create specified objects in pid directories with the pam runtime file type using a type transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object_class	Class of the object being created.
name	The name of the object being created.

auth_runtime_filetrans_pam_var_console(
	
		domain
		
			,
		
		object_class
		
			,
		
		name
		
	)

Summary

Create specified objects in generic runtime directories with the pam var console runtime file type using a file type transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object_class	Class of the object being created.
name	The name of the object being created.

auth_rw_cache(
	
		domain
		
	)

Summary

Read/Write authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_faillog(
	
		domain
		
	)

Summary

Read and write the login failure log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_lastlog(
	
		domain
		
	)

Summary

Read and write to the last logins log.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_login_records(
	
		domain
		
	)

Summary

Read and write login records.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_shadow(
	
		domain
		
	)

Summary

Read and write the shadow password file (/etc/shadow).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_shadow_lock(
	
		domain
		
	)

Summary

Read/Write shadow lock files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_rw_var_auth(
	
		domain
		
	)

Summary

Read and write var auth files. Used by various other applications and pam applets etc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_search_cache(
	
		domain
		
	)

Summary

Search authentication cache

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_search_pam_console_data(
	
		domain
		
	)

Summary

Search the contents of the pam_console data directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_setattr_faillog_files(
	
		domain
		
	)

Summary

Setattr the login failure logs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_setattr_login_records(
	
		domain
		
	)

Summary

Set the attributes of login record files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_signal_pam(
	
		domain
		
	)

Summary

Send generic signals to pam processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_tunable_read_shadow(
	
		domain
		
	)

Summary

Read the shadow password file.

Description

Read the shadow password file. This should only be used in a conditional; it does not pass the reading shadow assertion.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_unconfined(
	
		domain
		
	)

Summary

Unconfined access to the authlogin module.

Description

Unconfined access to the authlogin module.

Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_use_nsswitch(
	
		domain
		
	)

Summary

Use nsswitch to look up user, password, group, or host information.

Description

Allow the specified domain to look up user, password, group, or host information using the name service. The most common use of this interface is for services that do host name resolution (usually DNS resolution).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_use_pam(
	
		domain
		
	)

Summary

Use PAM for authentication.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_use_pam_motd_dynamic(
	
		domain
		
	)

Summary

Use the pam module motd with dynamic support during authentication. This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071) and was added to Debian (https://sources.debian.org/src/pam/1.3.1-5/debian/patches-applied/update-motd/)

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_use_pam_systemd(
	
		domain
		
	)

Summary

Use the pam module systemd during authentication.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_var_filetrans_cache(
	
		domain
		
	)

Summary

Automatic transition from cache_t to cache.

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_write_login_records(
	
		domain
		
	)

Summary

Write to login records (wtmp).

Parameters

Parameter:	Description:
domain	Domain allowed access.

auth_write_pam_motd_files(
	
		domain
		
	)

Summary

Write files in /run/motd.d directory

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return

Templates:

auth_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Role access for password authentication.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access

Return