[redhat-lspp] New pam src rpm with namespace
Klaus Weidner
klaus at atsec.com
Wed Feb 15 23:54:34 UTC 2006
On Wed, Feb 15, 2006 at 03:40:58PM -0500, Steve Grubb wrote:
> There is a new src rpm with pam_namespace located here:
> http://people.redhat.com/sgrubb/files/
> To build it, use:
> rpmbuild --rebuild pam-0.99.3.0-1.2.lspp.1.src.rpm
Thank you (and sorry about the build issue messages) - it works for me in
nonenforcing mode, but not in enforcing mode (see below).
I'm not sure if I like the strategy of using hidden directories
/home/.inst-* and /home/.poly-* for user's home directories (similarily
for /tmp). I think this violates the principle of least surprise, for
example for backup tools, or if the admin needs to identify who is
hogging all the disk space. How about unhidden directories that include
the user name, for example /home/sgrubb.poly-* ?
Do we need a way to get the /etc/skel/ contents copied into freshly
instantiated directories, for example through a hook script?
Here's the debug log from trying this in enforcing mode:
Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): Unable to unshare from parent namespace (Operation not permitted)
Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): namespace setup failed for pid 21272
This seems to correspond to the following avc message:
type=AVC msg=audit(1140046087.255:618): avc: denied { sys_admin } for pid=21295 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tclass=capability
type=SYSCALL msg=audit(1140046087.255:618): arch=40000003 syscall=310 success=no exit=-1 a0=20000 a1=1 a2=2e64a8 a3=0 items=0 pid=21295 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255
-Klaus
More information about the redhat-lspp
mailing list