Layer: system

Module: authlogin

Interfaces Templates

Description:

Common policy for authentication and user login.

Interfaces:

auth_append_faillog( domain )
Summary

Append to the login failure log.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_append_lastlog( domain )
Summary

Append only to the last logins log.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_append_login_records( domain )
Summary

Append to login records (wtmp).

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_can_read_shadow_passwords( domain )
Summary

Pass shadow assertion for reading.

Description

Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_delete_pam_console_data( domain )
Summary

Delete pam_console data.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_delete_pam_pid( domain )
Summary

Delete pam PID files.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_domtrans_chk_passwd( domain )
Summary

Run unix_chkpwd to check a password.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_domtrans_chkpwd( domain )
Summary

Run unix_chkpwd to check a password.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_domtrans_login_program( domain , target_domain )
Summary

Execute a login_program in the target domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
target_domain

The type of the login_program process.

No
auth_domtrans_pam( domain )
Summary

Execute pam programs in the pam domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_domtrans_pam_console( domain )
Summary

Execute pam_console with a domain transition.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_domtrans_upd_passwd( domain )
Summary

Execute a domain transition to run unix_update.

Parameters
Parameter:Description:Optional:
domain

Domain allowed to transition.

No
auth_domtrans_upd_passwd_chk( domain )
Summary

Execute a domain transition to run unix_update in Read Only Mode.

Parameters
Parameter:Description:Optional:
domain

Domain allowed to transition.

No
auth_domtrans_utempter( domain )
Summary

Execute utempter programs in the utempter domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_dontaudit_exec_utempter( domain )
Summary

Do not audit attemps to execute utempter executable.

Parameters
Parameter:Description:Optional:
domain

Domain to not audit.

No
auth_dontaudit_getattr_shadow( domain )
Summary

Do not audit attempts to get the attributes of the shadow passwords file.

Parameters
Parameter:Description:Optional:
domain

Domain to not audit.

No
auth_dontaudit_read_pam_pid( domain )
Summary

Do not audit attemps to read PAM PID files.

Parameters
Parameter:Description:Optional:
domain

Domain to not audit.

No
auth_dontaudit_read_shadow( domain )
Summary

Do not audit attempts to read the shadow password file (/etc/shadow).

Parameters
Parameter:Description:Optional:
domain

The type of the domain to not audit.

No
auth_dontaudit_write_login_records( domain )
Summary

Do not audit attempts to write to login records files.

Parameters
Parameter:Description:Optional:
domain

Domain to not audit.

No
auth_etc_filetrans_shadow( domain )
Summary

Automatic transition from etc to shadow.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_exec_pam( domain )
Summary

Execute the pam program.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_filetrans_cache( domain )
Summary

Automatic transition from cache_t to cache.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_getattr_shadow( domain )
Summary

Get the attributes of the shadow passwords file.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_keyring_domain( domain )
Summary

Make the specified domain a keyring domain

Parameters
Parameter:Description:Optional:
domain

Domain type used for a login program domain.

No
auth_list_pam_console_data( domain )
Summary

List the contents of the pam_console data directory.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_log_filetrans_login_records( domain )
Summary

Create a login records in the log directory using a type transition.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_login_entry_type( domain )
Summary

Use the login program as an entry point program.

Parameters
Parameter:Description:Optional:
domain

The type of process using the login program as entry point.

No
auth_login_pgm_domain( domain )
Summary

Make the specified domain used for a login program.

Parameters
Parameter:Description:Optional:
domain

Domain type used for a login program domain.

No
auth_manage_all_files_except_shadow( domain , exception_types )
Summary

Manage all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters
Parameter:Description:Optional:
domain

The type of the domain perfoming this action.

No
exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

Yes
auth_manage_cache( domain )
Summary

Manage authentication cache

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_manage_login_records( domain )
Summary

Create, read, write, and delete login records files.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_manage_pam_console_data( domain )
Summary

Create, read, write, and delete pam_console data files.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_manage_pam_pid( domain )
Summary

Manage pam PID files.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_manage_shadow( domain )
Summary

Create, read, write, and delete the shadow password file.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_manage_var_auth( domain )
Summary

Manage var auth files. Used by various other applications and pam applets etc.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_ranged_domtrans_login_program( domain , target_domain , range )
Summary

Execute a login_program in the target domain, with a range transition.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
target_domain

The type of the login_program process.

No
range

Range of the login program.

No
auth_read_all_dirs_except_shadow( domain , exception_types )
Summary

Read all directories on the filesystem, except the shadow passwords and listed exceptions.

Parameters
Parameter:Description:Optional:
domain

The type of the domain perfoming this action.

No
exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

Yes
auth_read_all_files_except_shadow( domain , exception_types )
Summary

Read all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters
Parameter:Description:Optional:
domain

The type of the domain perfoming this action.

No
exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

Yes
auth_read_all_symlinks_except_shadow( domain , exception_types )
Summary

Read all symbolic links on the filesystem, except the shadow passwords and listed exceptions.

Parameters
Parameter:Description:Optional:
domain

The type of the domain perfoming this action.

No
exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

Yes
auth_read_cache( domain )
Summary

Read authentication cache

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_read_key( domain )
Summary

read login keyrings.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_read_lastlog( domain )
Summary

Read the last logins log.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_read_login_records( domain )
Summary

Read login records files (/var/log/wtmp).

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_read_pam_console_data( domain )
Summary

Read pam_console data files.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_read_pam_pid( domain )
Summary

Read PAM PID files.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_read_shadow( domain )
Summary

Read the shadow passwords file (/etc/shadow)

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_relabel_all_files_except_shadow( domain , exception_types )
Summary

Relabel all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters
Parameter:Description:Optional:
domain

The type of the domain perfoming this action.

No
exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

Yes
auth_relabel_shadow( domain )
Summary

Relabel from and to the shadow password file type.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_relabelto_shadow( domain )
Summary

Relabel to the shadow password file type.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_run_chk_passwd( domain , role , terminal )
Summary

Execute chkpwd programs in the chkpwd domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
role

The role to allow the updpwd domain.

No
terminal

The type of the terminal allow the updpwd domain to use.

No
auth_run_pam( domain , role , terminal )
Summary

Execute pam programs in the PAM domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
role

The role to allow the PAM domain.

No
terminal

The type of the terminal allow the PAM domain to use.

No
auth_run_upd_passwd( domain , role , terminal )
Summary

Execute updpwd programs in the updpwd domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
role

The role to allow the updpwd domain.

No
terminal

The type of the terminal allow the updpwd domain to use.

No
auth_run_upd_passwd_chk( domain , role , terminal )
Summary

Execute updpwd programs in the chkpwd domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
role

The role to allow the updpwd domain.

No
terminal

The type of the terminal allow the updpwd domain to use.

No
auth_run_utempter( domain , role , terminal )
Summary

Execute utempter programs in the utempter domain.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
role

The role to allow the utempter domain.

No
terminal

The type of the terminal allow the utempter domain to use.

No
auth_rw_all_files_except_shadow( domain , exception_types )
Summary

rw all files on the filesystem, except the shadow passwords and listed exceptions.

Parameters
Parameter:Description:Optional:
domain

The type of the domain perfoming this action.

No
exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

Yes
auth_rw_cache( domain )
Summary

Read/Write authentication cache

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_rw_faillog( domain )
Summary

Read and write the login failure log.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_rw_lastlog( domain )
Summary

Read and write to the last logins log.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_rw_login_records( domain )
Summary

Read and write login records.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_rw_shadow( domain )
Summary

Read and write the shadow password file (/etc/shadow).

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_search_key( domain )
Summary

search login keyrings.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_search_pam_console_data( domain )
Summary

Search the contents of the pam_console data directory.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_setattr_login_records( domain )
Summary

Set the attributes of login record files.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_tunable_read_shadow( domain )
Summary

Read the shadow password file.

Description

Read the shadow password file. This should only be used in a conditional; it does not pass the reading shadow assertion.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_unconfined( domain )
Summary

Unconfined access to the authlogin module.

Description

Unconfined access to the authlogin module.

Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_use_nsswitch( domain )
Summary

Use nsswitch to look up uid-username mappings.

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
auth_write_login_records( domain )
Summary

Write to login records (wtmp).

Parameters
Parameter:Description:Optional:
domain

Domain allowed access.

No
Return

Templates:

auth_domtrans_user_chk_passwd( userdomain_prefix , domain )
Summary

Run unix_chkpwd to check a password for a user domain.

Description

Run unix_chkpwd to check a password for a user domain.

This is a templated interface, and should only be called from a per-userdomain template.

Parameters
Parameter:Description:Optional:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

No
domain

Domain allowed access.

No
authlogin_common_auth_domain_template( userdomain_prefix )
Summary

Common template to create a domain for authentication.

Description

This template creates a derived domain which is allowed to authenticate users by using PAM unix_chkpwd support.

Parameters
Parameter:Description:Optional:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

No
authlogin_per_role_template( userdomain_prefix , user_domain , user_role )
Summary

The per role template for the authlogin module.

Description

This template creates a derived domain which is allowed to authenticate users by using PAM unix_chkpwd support. This domain will be used by any programs running in the user domain which use PAM to authenticate.

This template is invoked automatically for each user, and generally does not need to be invoked directly by policy writers.

Parameters
Parameter:Description:Optional:
userdomain_prefix

The prefix of the user domain (e.g., user is the prefix for user_t).

No
user_domain

The type of the user domain.

No
user_role

The role associated with the user domain.

No
Return