[redhat-lspp] New pam src rpm with namespace
Russell Coker
rcoker at redhat.com
Thu Feb 16 00:08:56 UTC 2006
On Wed, 2006-02-15 at 17:54 -0600, Klaus Weidner wrote:
> Here's the debug log from trying this in enforcing mode:
>
> Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): Unable to unshare from parent namespace (Operation not permitted)
> Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): namespace setup failed for pid 21272
>
> This seems to correspond to the following avc message:
>
> type=AVC msg=audit(1140046087.255:618): avc: denied { sys_admin } for pid=21295 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tclass=capability
>
> type=SYSCALL msg=audit(1140046087.255:618): arch=40000003 syscall=310 success=no exit=-1 a0=20000 a1=1 a2=2e64a8 a3=0 items=0 pid=21295 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255
Might it be time to split sys_admin capability?
sshd by it's nature needs network access and therefore is something we
want to lock down as much as possible. sys_admin gives a heap of access
and we certainly don't want to permit all that if we can avoid it.
Below are the sys_admin items which don't seem to be restricted by other
parts of SE Linux policy.
/* Allow setting the domainname */
/* Allow setting the hostname */
/* Allow VM86_REQUEST_IRQ */
/* Allow removing semaphores */
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
and shared memory */
/* Allow locking/unlocking of shared memory segment */
/* Allow forged pids on socket credentials passing */
/* Allow reading non-standardized portions of pci configuration space */
More information about the redhat-lspp
mailing list