polyinstantiation of the /tmp dir

Stephen Smalley sds at tycho.nsa.gov
Thu Sep 6 18:39:20 UTC 2007 

On Thu, 2007-09-06 at 10:33 -0700, Clarkson, Mike R (US SSA) wrote:
> 
> > -----Original Message-----
> > From: fedora-selinux-list-bounces at redhat.com
> [mailto:fedora-selinux-list-
> > bounces at redhat.com] On Behalf Of Tomas Mraz
> > Sent: Thursday, September 06, 2007 6:50 AM
> > To: fedora-selinux-list at redhat.com
> > Subject: Re: polyinstantiation of the /tmp dir
> > 
> > On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote:
> > > I'm trying to set up polyinstantiation of the /tmp directory using
> > > RHEL5. The /etc/security/namespace.conf file shows the following
> line as
> > > needing to be uncommented out:
> > > 	/tmp     /tmp-inst/		level		root,adm
> > >
> > > The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file
> describes
> > > the format of the /etc/security/namespace.conf file, and the
> allowable
> > > values. For the <method> entry it lists the following valid values:
> > > "user", "context", "both". It doesn't list "level" as a valid value.
> > > However, "level" is the only value that I can get to work. With
> "user",
> > > "context", or "both", I get the following error when I attempt to
> use
> > > newrole to change the level of my shell:
> > > 	"pam_open_session failed with Cannot make/remove an entry for
> > > the specified session"
> > >
> > > Any ideas as to why?
> > There can be various reasons. Use the 'debug' option of pam_namespace
> to
> > get some debug messages in /var/log/secure which may give some more
> > insight on this.
> > 
> > >  And what other values are valid other than "level"
> > The documentation is a little bit outdated. The valid values are
> "user",
> > "context" and "level".
> > 
> 
> Could you explain the difference between "level" and "context"? Here is
> what I'm seeing:
> 
> If I have "/tmp     /tmp-inst/		level
> root,adm" in the namespace.conf file, when I use the command "newrole -l
> s4:c10,c20", I get the following entry under the /tmp-inst directory:
> system_u:object_r:tmp_t:s4:c10,c20-s4:c0.c255_mr_clarkson. This entry
> contains both my name as well as the full security context of the shell
> that I've newroled to (the destination shell).
> 
> If I have "/tmp     /tmp-inst/		context		root,adm" in the
> namespace.conf file, when I use the command "newrole -l s4:c10,c20", I
> get the following entry under the /tmp-inst directory:
> system_u:object_r:tmp_t:s0-s15:c0.c255_mr_clarkson. This entry contains
> both my name as well as the full security context of the shell that I've
> newroled from (the origination shell).
> 
> Is this the expected behavior?

At present, you shouldn't really use the context option at all.  It may
eventually get used for role-based polyinstantiation, but that isn't
clear right now.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list