polyinstantiation of the /tmp dir

Clarkson, Mike R (US SSA) mike.clarkson at baesystems.com
Thu Sep 6 17:33:12 UTC 2007 


> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-
> bounces at redhat.com] On Behalf Of Tomas Mraz
> Sent: Thursday, September 06, 2007 6:50 AM
> To: fedora-selinux-list at redhat.com
> Subject: Re: polyinstantiation of the /tmp dir
> 
> On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote:
> > I'm trying to set up polyinstantiation of the /tmp directory using
> > RHEL5. The /etc/security/namespace.conf file shows the following
line as
> > needing to be uncommented out:
> > 	/tmp     /tmp-inst/		level		root,adm
> >
> > The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file
describes
> > the format of the /etc/security/namespace.conf file, and the
allowable
> > values. For the <method> entry it lists the following valid values:
> > "user", "context", "both". It doesn't list "level" as a valid value.
> > However, "level" is the only value that I can get to work. With
"user",
> > "context", or "both", I get the following error when I attempt to
use
> > newrole to change the level of my shell:
> > 	"pam_open_session failed with Cannot make/remove an entry for
> > the specified session"
> >
> > Any ideas as to why?
> There can be various reasons. Use the 'debug' option of pam_namespace
to
> get some debug messages in /var/log/secure which may give some more
> insight on this.
> 
> >  And what other values are valid other than "level"
> The documentation is a little bit outdated. The valid values are
"user",
> "context" and "level".
> 

Could you explain the difference between "level" and "context"? Here is
what I'm seeing:

If I have "/tmp     /tmp-inst/		level
root,adm" in the namespace.conf file, when I use the command "newrole -l
s4:c10,c20", I get the following entry under the /tmp-inst directory:
system_u:object_r:tmp_t:s4:c10,c20-s4:c0.c255_mr_clarkson. This entry
contains both my name as well as the full security context of the shell
that I've newroled to (the destination shell).

If I have "/tmp     /tmp-inst/		context		root,adm" in the
namespace.conf file, when I use the command "newrole -l s4:c10,c20", I
get the following entry under the /tmp-inst directory:
system_u:object_r:tmp_t:s0-s15:c0.c255_mr_clarkson. This entry contains
both my name as well as the full security context of the shell that I've
newroled from (the origination shell).

Is this the expected behavior?

Thanks

> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
>                                               Turkish proverb
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list