Polyinstantiated directory instance name bug?
Janak Desai
janak at us.ibm.com
Mon Jun 26 19:11:44 UTC 2006
On Mon, 2006-06-26 at 11:29 -0500, Joe Nall wrote:
> On Jun 26, 2006, at 8:46 AM, Janak Desai wrote:
>
> >
> > Can you tell me if this happens for login as well as ssh? and if your
> > /etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
>
> I've been tesing using su/ssh from an xterm in MLS/permissive.
>
> If I login as user 'test' to a virtual terminal, the context is
> 'root:object_r:var_t:SystemLow'. Shouldn't it be
> 'user_u:user_r:user_t:SystemLow'? That is what 'id -Z' shows after I
> login.
>
> /etc/pam.d/login
> #%PAM-1.0
> auth required pam_securetty.so
> auth include system-auth
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session include system-auth
> session required pam_loginuid.so
> session optional pam_console.so
> # pam_selinux.so open should be the last session rule
> session required pam_selinux.so open
> session required pam_namespace.so debug
>
> /etc/pam.d/su
> #%PAM-1.0
> auth sufficient pam_rootok.so
> # Uncomment the following line to implicitly trust users in the
> "wheel" group.
> #auth sufficient pam_wheel.so trust use_uid
> # Uncomment the following line to require a user to be in the "wheel"
> group.
> #auth required pam_wheel.so use_uid
> auth include system-auth
> account include system-auth
> password include system-auth
> session include system-auth
> session optional pam_xauth.so
> session required pam_namespace.so debug unmt_remnt
>
> /etc/pam.d/sshd
> #%PAM-1.0
> auth include system-auth
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> session include system-auth
> session required pam_loginuid.so
> session required pam_namespace.so debug
>
>
> > Since you are using the debug option, /var/log/secure should have a
> > bunch of pam_namepsace options connected to this session. Can you tell
> > me what the "poly_name ..." and "Inst ctxt .." messages look like?
>
> For the virtual terminal login case
>
> Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened
> for user testdev by LOGIN(uid=0)
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):
> open_session - start
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing
> config file /etc/security/namespace.conf
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured
> poly dirs:
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/
> polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
> inst/' meth=1
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
> user 0
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
> user 3
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up
> namespace for pid 6703
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly
> ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting
> poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set
> namespace for directory /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): member
> context returned by policy root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst
> context root:object_r:var_t:SystemLow Orig context
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):
> instance_dir /var/polyinstantiated/polyinstantiated-inst/
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace
> setup ok for pid 6703
>
> For the ssh from another machine case
>
> Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened
> for user testdev by LOGIN(uid=0)
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):
> open_session - start
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing
> config file /etc/security/namespace.conf
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured
> poly dirs:
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/
> polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
> inst/' meth=1
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
> user 0
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
> user 3
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up
> namespace for pid 6703
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly
> ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting
> poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set
> namespace for directory /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): member
> context returned by policy root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst
> context root:object_r:var_t:SystemLow Orig context
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):
> instance_dir /var/polyinstantiated/polyinstantiated-inst/
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace
> setup ok for pid 6703
>
> ssh test at localhost case (why is this different?)
>
> Jun 26 11:21:52 cipso sshd[2548]: pam_unix(sshd:session): session
> opened for user testdev by (uid=0)
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> open_session - start
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> Parsing config file /etc/security/namespace.conf
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> Configured poly dirs:
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): dir='/
> var/polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
> inst/' meth=0
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> override user 0
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> override user 3
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set up
> namespace for pid 2548
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> Checking for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Need
> poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> Checking for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> Setting poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set
> namespace for directory /var/polyinstantiated
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> poly_name testdev
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Inst
> context (null) Orig context root:object_r:var_t:SystemLow
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> instance_dir /var/polyinstantiated/polyinstantiated-inst/testdev
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
> namespace setup ok for pid 2548
>
> For the su - test case
>
> Jun 26 11:10:00 cipso su: pam_unix(su:session): session opened for
> user testdev by root(uid=0)
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): open_session -
> start
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Parsing config
> file /etc/security/namespace.conf
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Configured poly
> dirs:
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): dir='/var/
> polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
> inst/' meth=0
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 0
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 3
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set up namespace
> for pid 6784
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns
> override in dir /var/polyinstantiated for uid 500
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Need poly ns for
> user 500 for dir /var/polyinstantiated
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns
> override in dir /var/polyinstantiated for uid 500
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Setting poly ns
> for user 500 for dir /var/polyinstantiated
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set namespace
> for directory /var/polyinstantiated
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): poly_name testdev
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Inst context
> (null) Orig context root:object_r:var_t:SystemLow
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): instance_dir /
> var/polyinstantiated/polyinstantiated-inst/testdev
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): namespace setup
> ok for pid 6784
>
>
Thanks for the info. The context in the "context" mode of polyinstantiating
is not automatically set to the context of the shell, but it is set to the
context returned by security_compute_member(). security_compute_member() asks
the policy to compute the security context of a polyinstantiated member/instance
based on the source (which in this case is the shell) context, and the context
of the directory to polyinstantiate.
I will sync with the latest policy sources from rawhide, experiment with the
type-member rules and let you know how you can control context of polyinstantiated
instances.
-Janak
More information about the fedora-selinux-list
mailing list