[redhat-lspp] Re: some additional pam_namespace issues ..
Stephen Smalley
sds at tycho.nsa.gov
Thu Feb 16 18:24:42 UTC 2006
On Thu, 2006-02-16 at 13:13 -0500, JANAK DESAI wrote:
> With the current implementation, you can specify if the directory should be
> polyinstantiated based on user, context or both. The config file does
> not make
> any distinction on which program may be trying to polyinstantiate. So if
> I have setup /tmp to polyinstantiate based on both user and context, both
> login and su will use that setup. The namespace module tries to compute
> the type-member if the polyinstantiation method involves context and
> doesn't differentiate if it was called from login or su. I will check to
> see if
> there is a way to easily identify the calling program.
For the default_contexts configuration, this is done by specifying the
context of the calling program as the first field, followed by the
ordered list of default contexts. So you can have different behaviors
for local login, ssh sessions, crond, su, etc.
But a simple approach for you might just to be to automatically disable
context polyinstantiation if getexeccon is NULL, as that indicates that
no context change is going to occur.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list