[redhat-lspp] New pam src rpm with namespace

JANAK DESAI janak at us.ibm.com
Thu Feb 16 15:08:17 UTC 2006 

Klaus Weidner wrote:

>On Wed, Feb 15, 2006 at 03:40:58PM -0500, Steve Grubb wrote:
>  
>
>>There is a new src rpm with pam_namespace located here:
>>http://people.redhat.com/sgrubb/files/
>>To build it, use:
>>rpmbuild --rebuild pam-0.99.3.0-1.2.lspp.1.src.rpm 
>>    
>>
>
>Thank you (and sorry about the build issue messages) - it works for me in
>nonenforcing mode, but not in enforcing mode (see below).
>  
>
ssh works for me on FC5 Test2 with targeted policy. I guess it was further
locked down since Test2 release?

>I'm not sure if I like the strategy of using hidden directories
>/home/.inst-* and /home/.poly-* for user's home directories (similarily
>for /tmp).  I think this violates the principle of least surprise, for
>example for backup tools, or if the admin needs to identify who is
>hogging all the disk space. How about unhidden directories that include
>the user name, for example /home/sgrubb.poly-* ? 
>  
>
The pam maintainer also expressed an interest in putting user name in the
instance directory name. One thing to keep in mind is that it is possible to
polyinstantiate based on the context only, in that case there no user 
tied to
the instance directory. Also, if the instance parent is different than the
polyinstantiated directory, then instance directories belonging to other 
users
are visible to an ordinary user. If those directories are identified 
with user
names are we opening up a channel?

>Do we need a way to get the /etc/skel/ contents copied into freshly
>instantiated directories, for example through a hook script?
>
>Here's the debug log from trying this in enforcing mode:
>
>Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): Unable to unshare from parent namespace (Operation not permitted)
>Feb 15 17:25:32 rawhide sshd[21272]: pam_namespace(sshd:session): namespace setup failed for pid 21272
>
>This seems to correspond to the following avc message:
>
>type=AVC msg=audit(1140046087.255:618): avc:  denied  { sys_admin } for  pid=21295 comm="sshd" capability=21 scontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c255 tclass=capability
>
>type=SYSCALL msg=audit(1140046087.255:618): arch=40000003 syscall=310 success=no exit=-1 a0=20000 a1=1 a2=2e64a8 a3=0 items=0 pid=21295 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c255
>
>-Klaus
>
>--
>redhat-lspp mailing list
>redhat-lspp at redhat.com
>https://www.redhat.com/mailman/listinfo/redhat-lspp
>
>
>  
>

More information about the redhat-lspp mailing list