(root)/
Linux-PAM-1.5.3/
modules/
pam_sepermit/
sepermit.conf.5.xml
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="sepermit.conf">

  <refmeta>
    <refentrytitle>sepermit.conf</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname>sepermit.conf</refname>
    <refpurpose>configuration file for the pam_sepermit module</refpurpose>
  </refnamediv>

  <refsect1 xml:id="sepermit.conf-description">
    <title>DESCRIPTION</title>
    <para>
      The lines of the configuration file have the following syntax:
    </para>
    <para>
      <replaceable>&lt;user&gt;</replaceable>[:<replaceable>&lt;option&gt;</replaceable>:<replaceable>&lt;option&gt;</replaceable>...]
    </para>
    <para>
      The <emphasis remap="B">user</emphasis> can be specified in the following manner:
    </para>
    <itemizedlist>
        <listitem>
              <para>
                a username
              </para>
        </listitem>
        <listitem>
              <para>
                a groupname, with <emphasis remap="B">@group</emphasis> syntax.
                This should not be confused with netgroups.
              </para>
        </listitem>
        <listitem>
              <para>
                a SELinux user name with <emphasis remap="B">%seuser</emphasis> syntax.
              </para>
        </listitem>
    </itemizedlist>

    <para>
      The recognized options are:
    </para>

    <variablelist>
        <varlistentry>
              <term>exclusive</term>
              <listitem>
                <para>
                  Only single login session will be allowed for the user
                  and the user's processes will be killed on logout.
                </para>
              </listitem>
        </varlistentry>
        <varlistentry>
              <term>ignore</term>
              <listitem>
                <para>
                  The module will never return PAM_SUCCESS status for the user.
                  It will return PAM_IGNORE if SELinux is in the enforcing mode,
                  and PAM_AUTH_ERR otherwise. It is useful if you want to support
                  passwordless guest users and other confined users with passwords
                  simultaneously.
                </para>
              </listitem>
        </varlistentry>
    </variablelist>

    <para>
      The lines which start with # character are comments and are ignored.
    </para>
  </refsect1>

  <refsect1 xml:id="sepermit.conf-examples">
    <title>EXAMPLES</title>
    <para>
      These are some example lines which might be specified in
      <filename>/etc/security/sepermit.conf</filename>.
    </para>
    <programlisting>
%guest_u:exclusive
%staff_u:ignore
%user_u:ignore
    </programlisting>
  </refsect1>

  <refsect1 xml:id="sepermit.conf-see_also">
    <title>SEE ALSO</title>
    <para>
      <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
    </para>
  </refsect1>

  <refsect1 xml:id="sepermit.conf-author">
    <title>AUTHOR</title>
    <para>
      pam_sepermit and this manual page were written by Tomas Mraz &lt;tmraz@redhat.com&gt;
    </para>
  </refsect1>
</refentry>