SELinux and PAM
With all the information about SELinux users and roles, we have not touched upon how exactly applications are able to create and assign a SELinux context to a user.
Assigning contexts through PAM
End users log in to a Linux system through either a login process (triggered through a getty
process), a networked service (for example, the OpenSSH daemon), or through a graphical login manager (xdm
, kdm
, gdm
, slim
, and so on).
These services are responsible for switching our effective user ID (upon successful authentication, of course) so that we are not logged on to the system as the root
user. In the case of SELinux systems, these processes also need to switch the SELinux user (and role) accordingly, as otherwise, the context will be ...
Get SELinux System Administration - Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.