Polyinstantiated directory instance name bug?
Janak Desai
janak at us.ibm.com
Mon Jun 26 13:46:22 UTC 2006
On Sun, 2006-06-25 at 12:55 -0500, Joe Nall wrote:
> I added the following line to the end of /etc/pam.d/[login,sshd,su]
> session required pam_namespace.so debug
>
> I added the following line to /etc/security/namespace.conf
> /var/polyinstantiated /var/polyinstantiated/polyinstantiated-
> inst/ context root,adm
>
> If I ssh to test at localhost and touch /var/polyinstantiated/foo I get
>
> cd /var
> [root at cipso var]# ls -lR polyinstantiated/
> polyinstantiated/:
> total 20
> d--------- 3 root root 4096 Jun 23 18:32 polyinstantiated-inst
>
> polyinstantiated/polyinstantiated-inst:
> total 8
> drwxrwxrwx 2 root root 4096 Jun 23 18:41 test
>
> polyinstantiated/polyinstantiated-inst/test:
> total 8
> -rw-rw-r-- 1 test test 0 Jun 23 18:41 bar
> -rw-rw-r-- 1 test test 0 Jun 23 18:35 foo
>
> Shouldn't the instance name be the context instead of the username
> (test)?
>
> joe
>
>
Can you tell me if this happens for login as well as ssh? and if your
/etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
Since you are using the debug option, /var/log/secure should have a
bunch of pam_namepsace options connected to this session. Can you tell
me what the "poly_name ..." and "Inst ctxt .." messages look like?
Currently the namespace module switches to the "user" mode even if
the namespace.conf specifies "context" or "both" in the event that
the program has not requested a context change for the next exec using
setexeccon.
Thanks.
-Janak
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list