pam_console_apply(8) System Administrator's Manual pam_console_apply(8)NAME
pam_console_apply - set or revoke permissions for users at the system console
SYNOPSIS
pam_console_apply [-f <fstab file>] [-c <console.perms file>] [-r] [-t <tty>] [-s] [-d] [<device file> ...]
DESCRIPTION
pam_console_apply is a helper executable which sets or resets permissions on device nodes.
If /var/run/console.lock exists, pam_console_apply will grant permissions to the user listed therein. If the lock file does not exist,
permissions are reset according to defaults set in console.perms files, normally configured to set permissions on devices so that root owns
them.
When initializing its configuration it first parses the /etc/security/console.perms file and then it searches for files ending with the
.perms suffix in the /etc/security/console.perms.d directory. These files are parsed in the lexical order in "C" locale. Permission rules
are appended to a global list, console and device class definitions override previous definitions of the same class.
ARGUMENTS -c Load other console.perms file than the default one.
-f Load other fstab file than the default one (/etc/fstab).
-r Signals pam_console_apply to reset permissions. The default is to set permissions so that the user listed in /var/run/console.lock
has access to the devices, and to reset permissions if no such file exists.
-t Use <tty> to match console class in console.perms file. The default is tty0.
-s Write error messages to the system log instead of stderr.
-d Log/display messages useful for debugging.
The optional <device file> arguments constrain what files should be affected by pam_console_apply. If they aren't specified permissions are
changed on all files specified in the console.perms file.
FILES
/var/run/console.lock
/etc/security/console.perms
/etc/security/console.perms.d/50-default.perms
SEE ALSO pam_console(8)console.perms(5)BUGS
Let's hope not, but if you find any, please report them via the "Bug Track" link at http://bugzilla.redhat.com/bugzilla/
AUTHORS
Nalin Dahyabhai <nalin@redhat.com>, using code shamelessly stolen from parts of pam_console.
Support of console.perms.d and other improvements by Tomas Mraz <tmraz@redhat.com>.
Red Hat 2005/5/2 pam_console_apply(8)
Check Out this Related Man Page
avc_add_callback(3) SELinux API documentation avc_add_callback(3)NAME
avc_add_callback - additional event notification for SELinux userspace object managers.
SYNOPSIS
#include <selinux/selinux.h>
#include <selinux/avc.h>
int avc_add_callback(int (*callback)(uint32_t event,
security_id_t ssid,
security_id_t tsid,
security_class_t tclass,
access_vector_t perms,
access_vector_t *out_retained),
uint32_t events, security_id_t ssid,
security_id_t tsid, security_class_t tclass,
access_vector_t perms);
DESCRIPTION
avc_add_callback is used to register callback functions on security events. The purpose of this functionality is to allow userspace object
managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked.
events is the bitwise-or of security events on which to register the callback; see SECURITY EVENTS below.
ssid, tsid, tclass, and perms specify the source and target SID's, target class, and specific permissions that the callback wishes to moni-
tor. The special symbol SECSID_WILD may be passed as the source or target and will cause any SID to match.
callback is the callback function provided by the userspace object manager. The event argument indicates the security event which occured;
the remaining arguments are interpreted according to the event as described below. The return value of the callback should be zero on suc-
cess, -1 on error with errno set appropriately (but see RETURN VALUE below).
SECURITY EVENTS
In all cases below, ssid and/or tsid may be set to SECSID_WILD, indicating that the change applies to all source and/or target SID's.
Unless otherwise indicated, the out_retained parameter is unused.
AVC_CALLBACK_GRANT
Previously denied permissions are now granted for ssid, tsid with respect to tclass. perms indicates the permissions to grant.
AVC_CALLBACK_TRY_REVOKE
Previously granted permissions are now conditionally revoked for ssid, tsid with respect to tclass. perms indicates the permissions
to revoke. The callback should set out_retained to the subset of perms which are retained as migrated permissions. Note that
out_retained is ignored if the callback returns -1.
AVC_CALLBACK_REVOKE
Previously granted permissions are now unconditionally revoked for ssid, tsid with respect to tclass. perms indicates the permis-
sions to revoke.
AVC_CALLBACK_RESET
Indicates that the cache was flushed. The SID, class, and permission arguments are unused and are set to NULL.
AVC_CALLBACK_AUDITALLOW_ENABLE
The permissions given by perms should now be audited when granted for ssid, tsid with respect to tclass.
AVC_CALLBACK_AUDITALLOW_DISABLE
The permissions given by perms should no longer be audited when granted for ssid, tsid with respect to tclass.
AVC_CALLBACK_AUDITDENY_ENABLE
The permissions given by perms should now be audited when denied for ssid, tsid with respect to tclass.
AVC_CALLBACK_AUDITDENY_DISABLE
The permissions given by perms should no longer be audited when denied for ssid, tsid with respect to tclass.
RETURN VALUE
On success, avc_add_callback returns zero. On error, -1 is returned and errno is set appropriately.
A return value of -1 from a callback is interpreted as a failed policy operation. If such a return value is encountered, all remaining
callbacks registered on the event are called. In threaded mode, the netlink handler thread may then terminate and cause the userspace AVC
to return EINVAL on all further permission checks until avc_destroy(3) is called. In non-threaded mode, the permission check on which the
error occurred will return -1 and the value of errno encountered to the caller. In both cases, a log message is produced and the kernel
may be notified of the error.
ERRORS
ENOMEM An attempt to allocate memory failed.
NOTES
If the userspace AVC is running in threaded mode, callbacks registered via avc_add_callback may be executed in the context of the netlink
handler thread. This will likely introduce synchronization issues requiring the use of locks. See avc_init(3).
Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that
currently gets excercised is AVC_CALLBACK_RESET.
AUTHOR
Eamon Walsh <ewalsh@tycho.nsa.gov>
SEE ALSO avc_init(3), avc_has_perm(3), avc_context_to_sid(3), avc_cache_stats(3), security_compute_av(3)selinux(8)
9 June 2004 avc_add_callback(3)