pam_mac

Determines the type that should be associated with the user and switches to it if a security policy is loaded.

Syntax:

facility control_flag pam_mac.so [verbose] [config=path] [allow_no_policy]

Options:

verbose
Perform additional logging.
config=path
Read the user-to-type mapping from path instead of /etc/pam_mac_users.
allow_no_policy
Allow the pam_mac module to be used when no security policy is loaded.  If no policy is loaded, the module does not switch types and does not need to be removed.

Description:

Security policy relies on the use of types. Use the pam_mac module to switch the type associated with a user's shell at the time they log in to a system. The module determines the type that should be associated with the user and switches to it by calling procmgr_set_type_id. If the type change fails, the module returns an error and the session is terminated. The pam_mac module operates post-authentication, during the session creation stage.

Note: Without this module, if you log in through ssh, telnet or anything similar under an active security policy, the type ID associated with your shell will be the same as that of the parent service, sshd or telnetd.

The pam_mac module requires a configuration file to map user names to type names. By default, the module looks for the file in /etc/pam_mac_users. You can change the filepath with the module's config option. The configuration file must be owned by root and have no group or world write access, and the types must be defined in the security policy.

The security policy may require additional lines to support the pam_mac configuration file and should take into consideration what might happen if the abilities for all types in the configuration file are combined.

Note: The PAM module syntax does not stand alone and is contained within the context of the PAM configuration command. See the Security Developer's Guide for more information about system authentication, configuring PAM, facilities, control flags, examples, and how QNX Neutrino uses the OpenPAM framework.

Example:

Each line of the pam_mac configuration file contains a user name, followed by a colon and a specific type, for example:
root:user_root_t
user1:user_user1_t
user2:user_user2_t 

The server process through which you are logging in (for example, sshd) requires the ability to switch to all of the types appearing in the pam_mac configuration file:

allow sshd_t  self:ability {
    settypeid:user_root_t,user_user1_t,user_user2_t
};
Note: Giving sshd the ability to switch to these types is similar, from a security point of view, to giving sshd the union of the capabilities of all these types.

Service category:

This module belongs to the session PAM service category.

Exit status:

If no policy is loaded, the pam_mac module returns success if the allow_no_policy option has been specified; otherwise, it returns failure.
If a policy has been loaded, it returns failure if:

Otherwise, it returns success.