From: Dominick Grift <domg472@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: pam_namespace context inside of name.inst
Date: Sun, 27 Sep 2009 18:05:42 +0200 [thread overview]
Message-ID: <20090927160540.GA7217@notebook3.grift.internal> (raw)
In-Reply-To: <4ABF8148.4010108@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4279 bytes --]
On Sun, Sep 27, 2009 at 08:14:16AM -0700, Justin P. Mattock wrote:
> Dominick Grift wrote:
> >On Sat, Sep 26, 2009 at 11:12:20PM -0700, Justin Mattock wrote:
> >>I'm going crazy over here trying to figure
> >>out how one system created a context inside
> >>name.inst one way and another for the other system:
> >>
> >>the first system has inside of
> >>name.inst:
> >>system_u:object_r:file_t_name
> >
> >This is wrong because the fs wasnt labelled properly
> That's what I figured,(this is the system that I did not label
> before turning on namespace).
> >>and on the other system I have:
> >>
> >>name:object_r:user_home_dir_t_name
> >
> >This is right
> This is from the system that was labeled before turning on namespace.
> >>the only difference with the machines is one machine
> >>had not been labeled yet, before turning on namespace.
> >>
> >>what should be the right context directory inside of
> >>name.inst?
> >
> >Depends, i think theres 3 different possibilities (not sure)
> >
> >first theres only name (no selinux) which create a dir with the user name
> >second is context which create a dir with the context of the usre home dir (user_home_dir_t and appends the user name
> >third is level , which creates a dir with the context of the user home dir and appends the username and also appends the level of the dir.
> >
> >>--
> >>Justin P. Mattock
> >>
> >>--
> >>This message was distributed to subscribers of the selinux mailing list.
> >>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >>the words "unsubscribe selinux" without quotes as the message.
> So either you can use(name,context,level) or (meth=1,2,3)?
> (I'm wondering if this is all I need to configure)
This is what i use in /etc/security/namespace.conf:
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/ level root,adm
Besides that you would add entries to the related logins in /etc/pam.d/
For example:
session required pam_namespace.so
These entries are often already there.
And you need to set the boolean:
allow_polyinstantiation --> on
Also chmod -R 000 /tmp-inst (and /var/tmp-inst)
And make sure the have proper labelling:
[root@notebook3 pam.d]# /usr/sbin/semanage fcontext -l | grep tmp-inst
/tmp-inst directory system_u:object_r:tmp_t:s0
/tmp-inst/.* all files <<None>>
/tmp-inst/\.ICE-unix directory system_u:object_r:xdm_tmp_t:s0
/tmp-inst/\.ICE-unix/.* socket <<None>>
/tmp-inst/\.X0-lock all files system_u:object_r:xserver_tmp_t:s0
/tmp-inst/\.X11-unix directory system_u:object_r:xdm_tmp_t:s0
/tmp-inst/\.X11-unix/.* socket <<None>>
/tmp-inst/\.font-unix(/.*)? all files system_u:object_r:xfs_tmp_t:s0
/var/tmp-inst directory system_u:object_r:tmp_t:s0
After that , the rest should go automaticly. You do not have to manually create /home/joe/joe.inst ( usually this is done for you, and same goes for stuff under there plus stuff under /tmp-inst and /tmp-inst.
If however joe.inst is not automatically created on login , than do it manually. also do chmod -R 000 on it and make sure its context is user_home_dir_t.
>
> Anyways what's getting me is after the initial loading
> of namespace, the directory is created with the context
> (namespace.conf is set to it's default).
> Then after wards I haven't found a way to change that directory
> (besides using mv, or cp)from what it is(*file_t) to
> the correct context(*home_dir_t)
>
> if I delete that directory, then logout/in namespace does not
> create another. Is there a way to reset namespace and start fresh
> since I messed up and turned on namespace before labeling my filesystem,
> causing it to somehow be stuck with the wrong labeled context?
It should create a new one automatically...
>
> Justin P. Mattock
[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2009-09-27 16:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-27 6:12 pam_namespace context inside of name.inst Justin Mattock
2009-09-27 13:13 ` Dominick Grift
2009-09-27 15:14 ` Justin P. Mattock
2009-09-27 16:05 ` Dominick Grift [this message]
2009-09-27 17:51 ` Justin Mattock
2009-09-27 22:45 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090927160540.GA7217@notebook3.grift.internal \
--to=domg472@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.