[redhat-lspp] New pam src rpm with namespace

[Russell Coker]

On Wed, 2006-02-15 at 17:54 -0600, Klaus Weidner wrote:
> Here's the debug log from trying this in enforcing mode:
> 
> Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): Unable to unshare from parent namespace (Operation not permitted)
> Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): namespace setup failed for pid 21272
> 
> This seems to correspond to the following avc message:
> 
> type=AVC msg=audit(1140046087.255:618): avc:  denied  { sys_admin } for  pid=21295 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tclass=capability
> 
> type=SYSCALL msg=audit(1140046087.255:618): arch=40000003 syscall=310 success=no exit=-1 a0=20000 a1=1 a2=2e64a8 a3=0 items=0 pid=21295 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255

Might it be time to split sys_admin capability?

sshd by it's nature needs network access and therefore is something we
want to lock down as much as possible.  sys_admin gives a heap of access
and we certainly don't want to permit all that if we can avoid it.

Below are the sys_admin items which don't seem to be restricted by other
parts of SE Linux policy.

/* Allow setting the domainname */
/* Allow setting the hostname */
/* Allow VM86_REQUEST_IRQ */
/* Allow removing semaphores */
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
   and shared memory */
/* Allow locking/unlocking of shared memory segment */
/* Allow forged pids on socket credentials passing */
/* Allow reading non-standardized portions of pci configuration space */