pam_namespace context inside of name.inst

pam_namespace context inside of name.inst

[Justin Mattock]

I'm going crazy over here trying to figure
out how one system created a context inside
name.inst one way and another for the other system:

the first system has inside of
name.inst:
system_u:object_r:file_t_name

and on the other system I have:

name:object_r:user_home_dir_t_name

the only difference with the machines is one machine
had not been labeled yet, before turning on namespace.

what should be the right context directory inside of
name.inst?

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_namespace context inside of name.inst

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1305 bytes --]

On Sat, Sep 26, 2009 at 11:12:20PM -0700, Justin Mattock wrote:
> I'm going crazy over here trying to figure
> out how one system created a context inside
> name.inst one way and another for the other system:
> 
> the first system has inside of
> name.inst:
> system_u:object_r:file_t_name

This is wrong because the fs wasnt labelled properly
> 
> and on the other system I have:
> 
> name:object_r:user_home_dir_t_name

This is right

> the only difference with the machines is one machine
> had not been labeled yet, before turning on namespace.
> 
> what should be the right context directory inside of
> name.inst?

Depends, i think theres 3 different possibilities (not sure)

first theres only name (no selinux) which create a dir with the user name
second is context which create a dir with the context of the usre home dir (user_home_dir_t and appends the user name
third is level , which creates a dir with the context of the user home dir and appends the username and also appends the level of the dir.

> -- 
> Justin P. Mattock
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: pam_namespace context inside of name.inst

[Justin P. Mattock]

Dominick Grift wrote:
> On Sat, Sep 26, 2009 at 11:12:20PM -0700, Justin Mattock wrote:
>    
>> I'm going crazy over here trying to figure
>> out how one system created a context inside
>> name.inst one way and another for the other system:
>>
>> the first system has inside of
>> name.inst:
>> system_u:object_r:file_t_name
>>      
>
> This is wrong because the fs wasnt labelled properly
>    
That's what I figured,(this is the system that I did not label
before turning on namespace).
>> and on the other system I have:
>>
>> name:object_r:user_home_dir_t_name
>>      
>
> This is right
>    
This is from the system that was labeled before turning on namespace.
>    
>> the only difference with the machines is one machine
>> had not been labeled yet, before turning on namespace.
>>
>> what should be the right context directory inside of
>> name.inst?
>>      
>
> Depends, i think theres 3 different possibilities (not sure)
>
> first theres only name (no selinux) which create a dir with the user name
> second is context which create a dir with the context of the usre home dir (user_home_dir_t and appends the user name
> third is level , which creates a dir with the context of the user home dir and appends the username and also appends the level of the dir.
>
>    
>> -- 
>> Justin P. Mattock
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>      
So either you can use(name,context,level) or (meth=1,2,3)?
(I'm wondering if this is all I need to configure)

Anyways what's getting me is after the initial loading
of namespace, the directory is created with the context
(namespace.conf is set to it's default).
Then after wards I haven't found a way to change that directory
(besides using mv, or cp)from what it is(*file_t) to
the correct context(*home_dir_t)

if I delete that directory, then logout/in namespace does not
create another. Is there a way to reset namespace and start fresh
since I messed up and turned on namespace before labeling my filesystem,
causing it to somehow be stuck with the wrong labeled context?

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_namespace context inside of name.inst

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 4279 bytes --]

On Sun, Sep 27, 2009 at 08:14:16AM -0700, Justin P. Mattock wrote:
> Dominick Grift wrote:
> >On Sat, Sep 26, 2009 at 11:12:20PM -0700, Justin Mattock wrote:
> >>I'm going crazy over here trying to figure
> >>out how one system created a context inside
> >>name.inst one way and another for the other system:
> >>
> >>the first system has inside of
> >>name.inst:
> >>system_u:object_r:file_t_name
> >
> >This is wrong because the fs wasnt labelled properly
> That's what I figured,(this is the system that I did not label
> before turning on namespace).
> >>and on the other system I have:
> >>
> >>name:object_r:user_home_dir_t_name
> >
> >This is right
> This is from the system that was labeled before turning on namespace.
> >>the only difference with the machines is one machine
> >>had not been labeled yet, before turning on namespace.
> >>
> >>what should be the right context directory inside of
> >>name.inst?
> >
> >Depends, i think theres 3 different possibilities (not sure)
> >
> >first theres only name (no selinux) which create a dir with the user name
> >second is context which create a dir with the context of the usre home dir (user_home_dir_t and appends the user name
> >third is level , which creates a dir with the context of the user home dir and appends the username and also appends the level of the dir.
> >
> >>-- 
> >>Justin P. Mattock
> >>
> >>--
> >>This message was distributed to subscribers of the selinux mailing list.
> >>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >>the words "unsubscribe selinux" without quotes as the message.
> So either you can use(name,context,level) or (meth=1,2,3)?
> (I'm wondering if this is all I need to configure)

This is what i use in /etc/security/namespace.conf:

/tmp     /tmp-inst/             level      root,adm
/var/tmp /var/tmp-inst/         level      root,adm
$HOME    $HOME/$USER.inst/     level    root,adm


Besides that you would add entries to the related logins in /etc/pam.d/

For example:
session    required    pam_namespace.so

These entries are often already there.

And you need to set the boolean:
allow_polyinstantiation --> on

Also chmod -R 000 /tmp-inst (and /var/tmp-inst)
And make sure the have proper labelling:
[root@notebook3 pam.d]# /usr/sbin/semanage fcontext -l | grep tmp-inst
/tmp-inst                                          directory          system_u:object_r:tmp_t:s0
/tmp-inst/.*                                       all files          <<None>>
/tmp-inst/\.ICE-unix                               directory          system_u:object_r:xdm_tmp_t:s0
/tmp-inst/\.ICE-unix/.*                            socket             <<None>>
/tmp-inst/\.X0-lock                                all files          system_u:object_r:xserver_tmp_t:s0
/tmp-inst/\.X11-unix                               directory          system_u:object_r:xdm_tmp_t:s0
/tmp-inst/\.X11-unix/.*                            socket             <<None>>
/tmp-inst/\.font-unix(/.*)?                        all files          system_u:object_r:xfs_tmp_t:s0
/var/tmp-inst                                      directory          system_u:object_r:tmp_t:s0

After that , the rest should go automaticly. You do not have to manually create /home/joe/joe.inst ( usually this is done for you, and same goes for stuff under there plus stuff under /tmp-inst and /tmp-inst. 

If however joe.inst is not automatically created on login , than do it manually. also do chmod -R 000 on it and make sure its context is user_home_dir_t. 

> 
> Anyways what's getting me is after the initial loading
> of namespace, the directory is created with the context
> (namespace.conf is set to it's default).
> Then after wards I haven't found a way to change that directory
> (besides using mv, or cp)from what it is(*file_t) to
> the correct context(*home_dir_t)
> 
> if I delete that directory, then logout/in namespace does not
> create another. Is there a way to reset namespace and start fresh
> since I messed up and turned on namespace before labeling my filesystem,
> causing it to somehow be stuck with the wrong labeled context?

It should create a new one automatically...
> 
> Justin P. Mattock

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: pam_namespace context inside of name.inst

[Justin Mattock]

On Sun, Sep 27, 2009 at 9:05 AM, Dominick Grift <domg472@gmail.com> wrote:
> On Sun, Sep 27, 2009 at 08:14:16AM -0700, Justin P. Mattock wrote:
>> Dominick Grift wrote:
>> >On Sat, Sep 26, 2009 at 11:12:20PM -0700, Justin Mattock wrote:
>> >>I'm going crazy over here trying to figure
>> >>out how one system created a context inside
>> >>name.inst one way and another for the other system:
>> >>
>> >>the first system has inside of
>> >>name.inst:
>> >>system_u:object_r:file_t_name
>> >
>> >This is wrong because the fs wasnt labelled properly
>> That's what I figured,(this is the system that I did not label
>> before turning on namespace).
>> >>and on the other system I have:
>> >>
>> >>name:object_r:user_home_dir_t_name
>> >
>> >This is right
>> This is from the system that was labeled before turning on namespace.
>> >>the only difference with the machines is one machine
>> >>had not been labeled yet, before turning on namespace.
>> >>
>> >>what should be the right context directory inside of
>> >>name.inst?
>> >
>> >Depends, i think theres 3 different possibilities (not sure)
>> >
>> >first theres only name (no selinux) which create a dir with the user name
>> >second is context which create a dir with the context of the usre home dir (user_home_dir_t and appends the user name
>> >third is level , which creates a dir with the context of the user home dir and appends the username and also appends the level of the dir.
>> >
>> >>--
>> >>Justin P. Mattock
>> >>
>> >>--
>> >>This message was distributed to subscribers of the selinux mailing list.
>> >>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> >>the words "unsubscribe selinux" without quotes as the message.
>> So either you can use(name,context,level) or (meth=1,2,3)?
>> (I'm wondering if this is all I need to configure)
>
> This is what i use in /etc/security/namespace.conf:
>
> /tmp     /tmp-inst/             level      root,adm
> /var/tmp /var/tmp-inst/         level      root,adm
> $HOME    $HOME/$USER.inst/     level    root,adm
>

 yep, that's what I have as well.

>
> Besides that you would add entries to the related logins in /etc/pam.d/
>
> For example:
> session    required    pam_namespace.so
>
> These entries are often already there.
>
I added that to login, and ssh(gdm if I had it installed)

> And you need to set the boolean:
> allow_polyinstantiation --> on
>
yep.

> Also chmod -R 000 /tmp-inst (and /var/tmp-inst)
> And make sure the have proper labelling:
> [root@notebook3 pam.d]# /usr/sbin/semanage fcontext -l | grep tmp-inst
> /tmp-inst                                          directory          system_u:object_r:tmp_t:s0
> /tmp-inst/.*                                       all files          <<None>>
> /tmp-inst/\.ICE-unix                               directory          system_u:object_r:xdm_tmp_t:s0
> /tmp-inst/\.ICE-unix/.*                            socket             <<None>>
> /tmp-inst/\.X0-lock                                all files          system_u:object_r:xserver_tmp_t:s0
> /tmp-inst/\.X11-unix                               directory          system_u:object_r:xdm_tmp_t:s0
> /tmp-inst/\.X11-unix/.*                            socket             <<None>>
> /tmp-inst/\.font-unix(/.*)?                        all files          system_u:object_r:xfs_tmp_t:s0
> /var/tmp-inst                                      directory          system_u:object_r:tmp_t:s0
>
> After that , the rest should go automaticly. You do not have to manually create /home/joe/joe.inst ( usually this is done for you, and same goes for stuff under there plus stuff under /tmp-inst and /tmp-inst.
>

it was generated. the problem I'm seeing right now is the context is
wrong, because I hadn't labeled the filesystem.

> If however joe.inst is not automatically created on login , than do it manually. also do chmod -R 000 on it and make sure its context is user_home_dir_t.
>
>>
>> Anyways what's getting me is after the initial loading
>> of namespace, the directory is created with the context
>> (namespace.conf is set to it's default).
>> Then after wards I haven't found a way to change that directory
>> (besides using mv, or cp)from what it is(*file_t) to
>> the correct context(*home_dir_t)
>>
>> if I delete that directory, then logout/in namespace does not
>> create another. Is there a way to reset namespace and start fresh
>> since I messed up and turned on namespace before labeling my filesystem,
>> causing it to somehow be stuck with the wrong labeled context?
>
> It should create a new one automatically...

Seems from what I'm looking at /etc/security/namespace.init is called
once for the initial start, then after that is never called again.
(but could be wrong). for now Im going to see if there's a way
to have this mechanism call itself like it had done from the first start,
if so then it should generate a newly created *.inst and be in the
right context.
(if not then Ill manually create it like you had suggested).
>>
>> Justin P. Mattock
>



-- 
Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_namespace context inside of name.inst

[Justin P. Mattock]

Well this is confusing to me
the first initial start created
/home/name/name.inst

then if I move name.inst that directory
just for some reason isn't being recreated after login.
But if I change the location to:
/home/name.inst that directory can be
deleted, and a new one created upon every login.

As for the context in name.inst
for some reason one system created

name:object_r:user_home_dir_t_name
as the directory name, but
then other directories created are:
system_u:object_r:file_t_name
(which seems right, but am unsure)

I think if Ill leave namespace.conf to
/home/name.inst because everything runs as is.

Justin P. Mattock





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.