<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
        "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">

<refentry id="sepermit.conf">

  <refmeta>
    <refentrytitle>sepermit.conf</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname>sepermit.conf</refname>
    <refpurpose>configuration file for the pam_sepermit module</refpurpose>
  </refnamediv>

  <refsect1 id='sepermit.conf-description'>
    <title>DESCRIPTION</title>
    <para>
      The lines of the configuration file have the following syntax:
    </para>
    <para>
      <replaceable>&lt;user&gt;</replaceable>[:<replaceable>&lt;option&gt;</replaceable>:<replaceable>&lt;option&gt;</replaceable>...]
    </para>
    <para>
      The <emphasis remap='B'>user</emphasis> can be specified in the following manner:
    </para>
    <itemizedlist>
        <listitem>
              <para>
                a username
              </para>
        </listitem>
        <listitem>
              <para>
                a groupname, with <emphasis remap='B'>@group</emphasis> syntax.
                This should not be confused with netgroups.
              </para>
        </listitem>
        <listitem>
              <para>
                a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax.
              </para>
        </listitem>
    </itemizedlist>

    <para>
      The recognized options are:
    </para>

    <variablelist>
        <varlistentry>
              <term><option>exclusive</option></term>
              <listitem>
                <para>
                  Only single login session will be allowed for the user
                  and the user's processes will be killed on logout.
                </para>
              </listitem>
        </varlistentry>
        <varlistentry>
              <term><option>ignore</option></term>
              <listitem>
                <para>
                  The module will never return PAM_SUCCESS status for the user.
                  It will return PAM_IGNORE if SELinux is in the enforcing mode,
                  and PAM_AUTH_ERR otherwise. It is useful if you want to support
                  passwordless guest users and other confined users with passwords
                  simultaneously.
                </para>
              </listitem>
        </varlistentry>
    </variablelist>

    <para>
      The lines which start with # character are comments and are ignored.
    </para>
  </refsect1>

  <refsect1 id="sepermit.conf-examples">
    <title>EXAMPLES</title>
    <para>
      These are some example lines which might be specified in
      <filename>/etc/security/sepermit.conf</filename>.
    </para>
    <programlisting>
%guest_u:exclusive
%staff_u:ignore
%user_u:ignore
    </programlisting>
  </refsect1>

  <refsect1 id="sepermit.conf-see_also">
    <title>SEE ALSO</title>
    <para>
      <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
    </para>
  </refsect1>

  <refsect1 id="sepermit.conf-author">
    <title>AUTHOR</title>
    <para>
      pam_sepermit and this manual page were written by Tomas Mraz &lt;tmraz@redhat.com&gt;
    </para>
  </refsect1>
</refentry>