diff options
Diffstat (limited to 'modules/pam_namespace/pam_namespace.8')
| -rw-r--r-- | modules/pam_namespace/pam_namespace.8 | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index d0afb6c6..3c9e9b39 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -41,57 +41,57 @@ exists, it is used to initialize the instance directory after it is set up and m The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is logged using syslog .RE .PP -\fBunmnt_remnt\fR +unmnt_remnt .RS 4 For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context .RE .PP -\fBunmnt_only\fR +unmnt_only .RS 4 For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories .RE .PP -\fBrequire_selinux\fR +require_selinux .RS 4 If selinux is not enabled, return failure .RE .PP -\fBgen_hash\fR +gen_hash .RS 4 Instead of using the security context string for the instance name, generate and use its md5 hash\&. .RE .PP -\fBignore_config_error\fR +ignore_config_error .RS 4 If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. .RE .PP -\fBignore_instance_parent_mode\fR +ignore_instance_parent_mode .RS 4 Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. .RE .PP -\fBunmount_on_close\fR +unmount_on_close .RS 4 Explicitly unmount the polyinstantiated directories instead of relying on automatic namespace destruction after the last process in a namespace exits\&. This option should be used only in case it is ensured by other means that there cannot be any processes running in the private namespace left after the session close\&. It is also useful only in case there are multiple pam session calls in sequence from the same process\&. .RE .PP -\fBuse_current_context\fR +use_current_context .RS 4 Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. .RE .PP -\fBuse_default_context\fR +use_default_context .RS 4 Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. .RE .PP -\fBmount_private\fR +mount_private .RS 4 This option can be used on systems where the / mount point or its submounts are made shared (for example with a \fBmount \-\-make\-rshared /\fR |