xref: /illumos-gate/usr/src/man/man7/pam_tsol_account.7 (revision 9164a50bf932130cbb5097a16f6986873ce0e6e5) 
 te
 Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
 The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
 When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
 PAM_TSOL_ACCOUNT 7 "August 19, 2023"
 NAME
pam_tsol_account - PAM account management module for Trusted Extensions

 SYNOPSIS
pam_tsol_account.so.1




 DESCRIPTION
The Trusted Extensions service module for PAM,
pam_tsol_account.so.1, checks account limitations that
are related to labels.


pam_tsol_account.so.1 contains a function to perform account management,
pam_sm_acct_mgmt(3PAM).
The function checks for the allowed label range for
the user. The allowable label range is set by the defaults in the
label_encodings(5) file. These defaults can be overridden by entries in
the user_attr(5) database.


By default, this module requires that remote hosts connecting to the global
zone must have a CIPSO host type. To disable this policy, add the
allow_unlabeled keyword as an option to the entry in pam.conf(5),
as in:

other account required pam_tsol_account allow_unlabeled




 OPTIONS
The following options can be passed to the module:
allow_unlabeled


Allows remote connections from hosts with unlabeled template types.



debug


Provides debugging information at the LOG_DEBUG level. See
syslog(3C).




 RETURN VALUES
The following values are returned:
PAM_SUCCESS


The account is valid for use at this time and label.



PAM_PERM_DENIED


The current process label is outside the user's label range, or the label
information for the process is unavailable, or the remote host type is not
valid.



Other values


Returns an error code that is consistent with typical PAM operations. For
information on error-related return values, see the pam(3PAM) man page.




 ATTRIBUTES
See attributes(7) for description of the following attributes:






ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Committed
MT Level MT-Safe with exceptions




The interfaces in libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own PAM handle.

 SEE ALSO
 keylogin (1),  syslog (3C),  libpam (3LIB),  pam (3PAM),  pam_sm_acct_mgmt (3PAM),  pam_start (3PAM),  label_encodings (5),  pam.conf (5),  user_attr (5),  attributes (7) 
 NOTES
The functionality described on this manual page is available only if the system
is configured with Trusted Extensions.