* polyinstantiation, what should happen?
@ 2007-01-17 23:01 Xavier Toth
2007-01-17 23:48 ` Linda Knippers
0 siblings, 1 reply; 6+ messages in thread
From: Xavier Toth @ 2007-01-17 23:01 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 614 bytes --]
I'm running the lspp.63 kernel along with the latest pam and newrole
off of Dan Walsh' people page.
I've configured polyinstantiation but it doesn't work the way I
thought it would so either I don't understand or I've got it
configured wrong. In namespace.conf I've specified that I want context
to be used for the polyinstantiated instance directories but I only
getting the user name. Shouldn't the directory name contain the entire
an context?
Also I'm running X so I followed the instructions on the pam_namespace
man page but wasn't sure whether /etc/pam.d/gdm needed unmnt_remnt as
su and newrole do?
Ted
[-- Attachment #2: namespace.conf --]
[-- Type: application/octet-stream, Size: 1475 bytes --]
# /etc/security/namespace.conf
#
# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
#
# Uncommenting the following three lines will polyinstantiate
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
# be polyinstantiated based on the MLS level part of the security context as well as user
# name, Polyinstantion will not be performed for user root and adm for directories
# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
# The user name and context is appended to the instance prefix.
#
# Note that instance directories do not have to reside inside the
# polyinstantiated directory. In the examples below, instances of /tmp
# will be created in /tmp-inst directory, where as instances of /var/tmp
# and users home directories will reside within the directories that
# are being polyinstantiated.
#
# Instance parent directories must exist for the polyinstantiation
# mechanism to work. By default, they should be created with the mode
# of 000. pam_namespace module will enforce this mode unless it
# is explicitly called with an argument to ignore the mode of the
# instance parent. System administrators should use this argument with
# caution, as it will reduce security and isolation achieved by
# polyinstantiation.
#
/tmp /tmp-inst/ context root,adm,tedx
/var/tmp /var/tmp/tmp-inst/ context root,adm,tedx
$HOME $HOME/$USER.inst/ context root,adm,tedx
[-- Attachment #3: newrole --]
[-- Type: application/octet-stream, Size: 246 bytes --]
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
session required pam_namespace.so unmnt_remnt no_unmount_on_close debug
[-- Attachment #4: gdm --]
[-- Type: application/octet-stream, Size: 409 bytes --]
#%PAM-1.0
auth required pam_env.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session required pam_namespace.so unmnt_remnt debug
[-- Attachment #5: login --]
[-- Type: application/octet-stream, Size: 690 bytes --]
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so debug
[-- Attachment #6: su --]
[-- Type: application/octet-stream, Size: 548 bytes --]
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
session required pam_namespace.so unmnt_remnt debug
[-- Attachment #7: sshd --]
[-- Type: application/octet-stream, Size: 344 bytes --]
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_namespace.so unmnt_remnt debug
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: polyinstantiation, what should happen?
2007-01-17 23:01 polyinstantiation, what should happen? Xavier Toth
@ 2007-01-17 23:48 ` Linda Knippers
2007-01-18 14:55 ` Stephen Smalley
2007-01-18 19:46 ` Xavier Toth
0 siblings, 2 replies; 6+ messages in thread
From: Linda Knippers @ 2007-01-17 23:48 UTC (permalink / raw)
To: Xavier Toth; +Cc: selinux
Xavier Toth wrote:
> I'm running the lspp.63 kernel along with the latest pam and newrole
> off of Dan Walsh' people page.
>
> I've configured polyinstantiation but it doesn't work the way I
> thought it would so either I don't understand or I've got it
> configured wrong. In namespace.conf I've specified that I want context
> to be used for the polyinstantiated instance directories but I only
> getting the user name. Shouldn't the directory name contain the entire
> an context?
Perhaps. I think the method field specifies when you want to polyinstantiate,
not necessarily what the instance names are, although it makes sense that
the directories would be named using the context and the user name.
I use "level" instead of "context" on my system and I get directory names that
have the full context, including level, plus the user name. By specifying
"level" but I only get a new instance when I change levels, not when I change
roles.
My namespace.conf looks like this, if you want to give that a try:
/tmp /tmp/tmp-inst/ level root,adm
/var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME /home/home.inst/ level root,adm
Do you have any interesting messages in /var/log/secure? Since you have
the the debug option on your pam_namespace.so lines you should see messages
when it creates an instance directory.
-- ljk
> Also I'm running X so I followed the instructions on the pam_namespace
> man page but wasn't sure whether /etc/pam.d/gdm needed unmnt_remnt as
> su and newrole do?
>
> Ted
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: polyinstantiation, what should happen?
2007-01-17 23:48 ` Linda Knippers
@ 2007-01-18 14:55 ` Stephen Smalley
2007-01-18 19:46 ` Xavier Toth
1 sibling, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2007-01-18 14:55 UTC (permalink / raw)
To: Linda Knippers; +Cc: Xavier Toth, selinux, Daniel J Walsh
On Wed, 2007-01-17 at 18:48 -0500, Linda Knippers wrote:
> Xavier Toth wrote:
> > I'm running the lspp.63 kernel along with the latest pam and newrole
> > off of Dan Walsh' people page.
> >
> > I've configured polyinstantiation but it doesn't work the way I
> > thought it would so either I don't understand or I've got it
> > configured wrong. In namespace.conf I've specified that I want context
> > to be used for the polyinstantiated instance directories but I only
> > getting the user name. Shouldn't the directory name contain the entire
> > an context?
>
> Perhaps. I think the method field specifies when you want to polyinstantiate,
> not necessarily what the instance names are, although it makes sense that
> the directories would be named using the context and the user name.
> I use "level" instead of "context" on my system and I get directory names that
> have the full context, including level, plus the user name. By specifying
> "level" but I only get a new instance when I change levels, not when I change
> roles.
>
> My namespace.conf looks like this, if you want to give that a try:
> /tmp /tmp/tmp-inst/ level root,adm
> /var/tmp /var/tmp/tmp-inst/ level root,adm
> $HOME /home/home.inst/ level root,adm
Yes, use "level" - see the earlier discussion on redhat-lspp.
Dan - should "context" trigger a warning or error until such a time as
it is correctly supported?
> > Also I'm running X so I followed the instructions on the pam_namespace
> > man page but wasn't sure whether /etc/pam.d/gdm needed unmnt_remnt as
> > su and newrole do?
It shouldn't, since there is no prior bind mount to unmount in the gdm
case. Not sure how well gdm will play with pam_namespace though; we
couldn't use pam_selinux with gdm but instead had to patch it directly
IIRC.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: polyinstantiation, what should happen?
2007-01-17 23:48 ` Linda Knippers
2007-01-18 14:55 ` Stephen Smalley
@ 2007-01-18 19:46 ` Xavier Toth
2007-01-19 19:12 ` Linda Knippers
1 sibling, 1 reply; 6+ messages in thread
From: Xavier Toth @ 2007-01-18 19:46 UTC (permalink / raw)
To: Linda Knippers; +Cc: selinux
I changed namespace.conf to use 'level' and created a new user and
them su'd to that new user 'test' but as you'll see below the
directory that gets created is simply named 'test'.
Jan 18 13:14:55 localhost su: pam_unix(su:session): session opened for
user test by root(uid=0)
Jan 18 13:14:55 localhost su: pam_namespace(su:session): open_session - start
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Parsing
config file /etc/security/namespace.conf
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Configured poly dirs:
Jan 18 13:14:55 localhost su: pam_namespace(su:session): dir='/tmp'
iprefix='/tmp-inst/' meth=1
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
Jan 18 13:14:55 localhost su: pam_namespace(su:session):
dir='/var/tmp' iprefix='/var/tmp/tmp-inst/' meth=1
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
Jan 18 13:14:55 localhost su: pam_namespace(su:session):
dir='/home/test' iprefix='/home/test/test.inst/' meth=1
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set up
namespace for pid 5761
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
ns override in dir /tmp for uid 503
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Need poly ns
for user 503 for dir /tmp
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
ns override in dir /tmp for uid 503
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Setting poly
ns for user 503 for dir /tmp
Jan 18 13:14:55 localhost su: pam_namespace(su:session): cwd is outside /tmp
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Unmount of
/tmp failed, Invalid argument
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set namespace
for directory /tmp
Jan 18 13:14:55 localhost su: pam_namespace(su:session): poly_name test
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Inst ctxt
(null) Orig ctxt system_u:object_r:tmp_t:SystemLow-SystemHigh
Jan 18 13:14:55 localhost su: pam_namespace(su:session): instance_dir
/tmp-inst/test
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
ns override in dir /var/tmp for uid 503
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Setting poly
ns for user 503 for dir /var/tmp
Jan 18 13:14:55 localhost su: pam_namespace(su:session): cwd is outside /var/tmp
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Unmount of
/var/tmp failed, Invalid argument
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set namespace
for directory /var/tmp
Jan 18 13:14:55 localhost su: pam_namespace(su:session): poly_name test
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Inst ctxt
(null) Orig ctxt system_u:object_r:tmp_t:SystemLow-SystemHigh
Jan 18 13:14:55 localhost su: pam_namespace(su:session): instance_dir
/var/tmp/tmp-inst/test
Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
ns override in dir /home/test for uid 503
Jan 18 13:14:56 localhost su: pam_namespace(su:session): Setting poly
ns for user 503 for dir /home/test
Jan 18 13:14:56 localhost su: pam_namespace(su:session): cwd is
outside /home/test
Jan 18 13:14:56 localhost su: pam_namespace(su:session): Unmount of
/home/test failed, Invalid argument
Jan 18 13:14:56 localhost su: pam_namespace(su:session): Set namespace
for directory /home/test
Jan 18 13:14:56 localhost su: pam_namespace(su:session): poly_name test
Jan 18 13:14:56 localhost su: pam_namespace(su:session): Inst ctxt
(null) Orig ctxt root:object_r:user_home_dir_t:SystemLow
Jan 18 13:14:56 localhost su: pam_namespace(su:session): instance_dir
/home/test/test.inst/test
Jan 18 13:14:56 localhost su: pam_namespace(su:session): namespace
setup ok for pid 5761
On 1/17/07, Linda Knippers <linda.knippers@hp.com> wrote:
> Xavier Toth wrote:
> > I'm running the lspp.63 kernel along with the latest pam and newrole
> > off of Dan Walsh' people page.
> >
> > I've configured polyinstantiation but it doesn't work the way I
> > thought it would so either I don't understand or I've got it
> > configured wrong. In namespace.conf I've specified that I want context
> > to be used for the polyinstantiated instance directories but I only
> > getting the user name. Shouldn't the directory name contain the entire
> > an context?
>
> Perhaps. I think the method field specifies when you want to polyinstantiate,
> not necessarily what the instance names are, although it makes sense that
> the directories would be named using the context and the user name.
> I use "level" instead of "context" on my system and I get directory names that
> have the full context, including level, plus the user name. By specifying
> "level" but I only get a new instance when I change levels, not when I change
> roles.
>
> My namespace.conf looks like this, if you want to give that a try:
> /tmp /tmp/tmp-inst/ level root,adm
> /var/tmp /var/tmp/tmp-inst/ level root,adm
> $HOME /home/home.inst/ level root,adm
>
> Do you have any interesting messages in /var/log/secure? Since you have
> the the debug option on your pam_namespace.so lines you should see messages
> when it creates an instance directory.
>
> -- ljk
>
> > Also I'm running X so I followed the instructions on the pam_namespace
> > man page but wasn't sure whether /etc/pam.d/gdm needed unmnt_remnt as
> > su and newrole do?
> >
> > Ted
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: polyinstantiation, what should happen?
2007-01-18 19:46 ` Xavier Toth
@ 2007-01-19 19:12 ` Linda Knippers
2007-01-22 21:30 ` Ted X Toth
0 siblings, 1 reply; 6+ messages in thread
From: Linda Knippers @ 2007-01-19 19:12 UTC (permalink / raw)
To: Xavier Toth; +Cc: selinux
Xavier Toth wrote:
> I changed namespace.conf to use 'level' and created a new user and
> them su'd to that new user 'test' but as you'll see below the
> directory that gets created is simply named 'test'.
>
> Jan 18 13:14:55 localhost su: pam_unix(su:session): session opened for
> user test by root(uid=0)
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): open_session -
> start
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Parsing
> config file /etc/security/namespace.conf
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Configured poly
> dirs:
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): dir='/tmp'
> iprefix='/tmp-inst/' meth=1
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
> Jan 18 13:14:55 localhost su: pam_namespace(su:session):
> dir='/var/tmp' iprefix='/var/tmp/tmp-inst/' meth=1
If you have "level" as the method then you should have meth=3 in the above line.
meth=1 means "user", which doesn't even match what you sent as your original
namespace.conf file. "user" is the default if SELinux isn't configured or if
the pam_namespace module decides that there's no context change, which I guess
would be the case for 'su'. What happens if you log in as that user? And
then use newrole?
-- ljk
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
> Jan 18 13:14:55 localhost su: pam_namespace(su:session):
> dir='/home/test' iprefix='/home/test/test.inst/' meth=1
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set up
> namespace for pid 5761
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
> ns override in dir /tmp for uid 503
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Need poly ns
> for user 503 for dir /tmp
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
> ns override in dir /tmp for uid 503
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Setting poly
> ns for user 503 for dir /tmp
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): cwd is outside
> /tmp
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Unmount of
> /tmp failed, Invalid argument
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set namespace
> for directory /tmp
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): poly_name test
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Inst ctxt
> (null) Orig ctxt system_u:object_r:tmp_t:SystemLow-SystemHigh
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): instance_dir
> /tmp-inst/test
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
> ns override in dir /var/tmp for uid 503
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Setting poly
> ns for user 503 for dir /var/tmp
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): cwd is outside
> /var/tmp
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Unmount of
> /var/tmp failed, Invalid argument
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set namespace
> for directory /var/tmp
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): poly_name test
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Inst ctxt
> (null) Orig ctxt system_u:object_r:tmp_t:SystemLow-SystemHigh
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): instance_dir
> /var/tmp/tmp-inst/test
> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
> ns override in dir /home/test for uid 503
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Setting poly
> ns for user 503 for dir /home/test
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): cwd is
> outside /home/test
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Unmount of
> /home/test failed, Invalid argument
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Set namespace
> for directory /home/test
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): poly_name test
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Inst ctxt
> (null) Orig ctxt root:object_r:user_home_dir_t:SystemLow
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): instance_dir
> /home/test/test.inst/test
> Jan 18 13:14:56 localhost su: pam_namespace(su:session): namespace
> setup ok for pid 5761
>
> On 1/17/07, Linda Knippers <linda.knippers@hp.com> wrote:
>
>> Xavier Toth wrote:
>> > I'm running the lspp.63 kernel along with the latest pam and newrole
>> > off of Dan Walsh' people page.
>> >
>> > I've configured polyinstantiation but it doesn't work the way I
>> > thought it would so either I don't understand or I've got it
>> > configured wrong. In namespace.conf I've specified that I want context
>> > to be used for the polyinstantiated instance directories but I only
>> > getting the user name. Shouldn't the directory name contain the entire
>> > an context?
>>
>> Perhaps. I think the method field specifies when you want to
>> polyinstantiate,
>> not necessarily what the instance names are, although it makes sense that
>> the directories would be named using the context and the user name.
>> I use "level" instead of "context" on my system and I get directory
>> names that
>> have the full context, including level, plus the user name. By
>> specifying
>> "level" but I only get a new instance when I change levels, not when I
>> change
>> roles.
>>
>> My namespace.conf looks like this, if you want to give that a try:
>> /tmp /tmp/tmp-inst/ level root,adm
>> /var/tmp /var/tmp/tmp-inst/ level root,adm
>> $HOME /home/home.inst/ level root,adm
>>
>> Do you have any interesting messages in /var/log/secure? Since you have
>> the the debug option on your pam_namespace.so lines you should see
>> messages
>> when it creates an instance directory.
>>
>> -- ljk
>>
>> > Also I'm running X so I followed the instructions on the pam_namespace
>> > man page but wasn't sure whether /etc/pam.d/gdm needed unmnt_remnt as
>> > su and newrole do?
>> >
>> > Ted
>>
>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: polyinstantiation, what should happen?
2007-01-19 19:12 ` Linda Knippers
@ 2007-01-22 21:30 ` Ted X Toth
0 siblings, 0 replies; 6+ messages in thread
From: Ted X Toth @ 2007-01-22 21:30 UTC (permalink / raw)
To: Linda Knippers; +Cc: selinux
Linda Knippers wrote:
> Xavier Toth wrote:
>
>> I changed namespace.conf to use 'level' and created a new user and
>> them su'd to that new user 'test' but as you'll see below the
>> directory that gets created is simply named 'test'.
>>
>> Jan 18 13:14:55 localhost su: pam_unix(su:session): session opened for
>> user test by root(uid=0)
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): open_session -
>> start
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Parsing
>> config file /etc/security/namespace.conf
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Configured poly
>> dirs:
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): dir='/tmp'
>> iprefix='/tmp-inst/' meth=1
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session):
>> dir='/var/tmp' iprefix='/var/tmp/tmp-inst/' meth=1
>>
>
> If you have "level" as the method then you should have meth=3 in the above line.
> meth=1 means "user", which doesn't even match what you sent as your original
> namespace.conf file. "user" is the default if SELinux isn't configured or if
> the pam_namespace module decides that there's no context change, which I guess
> would be the case for 'su'.
I had done a newrole before the su so there was a context change. I'm
still unclear where "meth=1" is coming from.
> What happens if you log in as that user? And
> then use newrole?
>
Logging in as the user followed by newrole causes directories to be
named with the context.
> -- ljk
>
>
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session):
>> dir='/home/test' iprefix='/home/test/test.inst/' meth=1
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 0
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 3
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): override user 500
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set up
>> namespace for pid 5761
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
>> ns override in dir /tmp for uid 503
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Need poly ns
>> for user 503 for dir /tmp
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
>> ns override in dir /tmp for uid 503
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Setting poly
>> ns for user 503 for dir /tmp
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): cwd is outside
>> /tmp
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Unmount of
>> /tmp failed, Invalid argument
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set namespace
>> for directory /tmp
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): poly_name test
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Inst ctxt
>> (null) Orig ctxt system_u:object_r:tmp_t:SystemLow-SystemHigh
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): instance_dir
>> /tmp-inst/test
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
>> ns override in dir /var/tmp for uid 503
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Setting poly
>> ns for user 503 for dir /var/tmp
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): cwd is outside
>> /var/tmp
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Unmount of
>> /var/tmp failed, Invalid argument
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Set namespace
>> for directory /var/tmp
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): poly_name test
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Inst ctxt
>> (null) Orig ctxt system_u:object_r:tmp_t:SystemLow-SystemHigh
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): instance_dir
>> /var/tmp/tmp-inst/test
>> Jan 18 13:14:55 localhost su: pam_namespace(su:session): Checking for
>> ns override in dir /home/test for uid 503
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Setting poly
>> ns for user 503 for dir /home/test
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): cwd is
>> outside /home/test
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Unmount of
>> /home/test failed, Invalid argument
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Set namespace
>> for directory /home/test
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): poly_name test
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): Inst ctxt
>> (null) Orig ctxt root:object_r:user_home_dir_t:SystemLow
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): instance_dir
>> /home/test/test.inst/test
>> Jan 18 13:14:56 localhost su: pam_namespace(su:session): namespace
>> setup ok for pid 5761
>>
>> On 1/17/07, Linda Knippers <linda.knippers@hp.com> wrote:
>>
>>
>>> Xavier Toth wrote:
>>>
>>>> I'm running the lspp.63 kernel along with the latest pam and newrole
>>>> off of Dan Walsh' people page.
>>>>
>>>> I've configured polyinstantiation but it doesn't work the way I
>>>> thought it would so either I don't understand or I've got it
>>>> configured wrong. In namespace.conf I've specified that I want context
>>>> to be used for the polyinstantiated instance directories but I only
>>>> getting the user name. Shouldn't the directory name contain the entire
>>>> an context?
>>>>
>>> Perhaps. I think the method field specifies when you want to
>>> polyinstantiate,
>>> not necessarily what the instance names are, although it makes sense that
>>> the directories would be named using the context and the user name.
>>> I use "level" instead of "context" on my system and I get directory
>>> names that
>>> have the full context, including level, plus the user name. By
>>> specifying
>>> "level" but I only get a new instance when I change levels, not when I
>>> change
>>> roles.
>>>
>>> My namespace.conf looks like this, if you want to give that a try:
>>> /tmp /tmp/tmp-inst/ level root,adm
>>> /var/tmp /var/tmp/tmp-inst/ level root,adm
>>> $HOME /home/home.inst/ level root,adm
>>>
>>> Do you have any interesting messages in /var/log/secure? Since you have
>>> the the debug option on your pam_namespace.so lines you should see
>>> messages
>>> when it creates an instance directory.
>>>
>>> -- ljk
>>>
>>>
>>>> Also I'm running X so I followed the instructions on the pam_namespace
>>>> man page but wasn't sure whether /etc/pam.d/gdm needed unmnt_remnt as
>>>> su and newrole do?
>>>>
>>>> Ted
>>>>
>>>
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-01-22 21:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-17 23:01 polyinstantiation, what should happen? Xavier Toth
2007-01-17 23:48 ` Linda Knippers
2007-01-18 14:55 ` Stephen Smalley
2007-01-18 19:46 ` Xavier Toth
2007-01-19 19:12 ` Linda Knippers
2007-01-22 21:30 ` Ted X Toth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.