[redhat-lspp] /tmp polyinstantiation and the man command
Linda Knippers
linda.knippers at hp.com
Mon Nov 27 23:46:34 UTC 2006
During today's conference call I mentioned a problem I'm seeing
where the man command doesn't work for certain users in certain
roles. I also mentioned separately that I have a problem accessing
/tmp at times. Turns out these problems are related. Whenever I
can't access /tmp the man command will fail. I hadn't noticed an
AVC deny before but there's one from the mktemp command:
type=AVC msg=audit(1164668073.122:853): avc: denied { write } for pid=5160
comm="mktemp" name="system_u:object_r:staff_tmp_t:SystemLow_ljk" dev=dm-0
ino=1015810 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:default_t:s0 tclass=dir
type=SYSCALL msg=audit(1164668073.122:853): arch=40000003 syscall=5 success=no
exit=-13 a0=9a80008 a1=c2 a2=180 a3=9a80008 items=0 ppid=5156 pid=5160 auid=501
uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1
comm="mktemp" exe="/bin/mktemp" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
key=(null)
I get similar messages if I try:
-bash-3.1$ touch /tmp/foo
touch: cannot touch `/tmp/foo': Permission denied
With my current example, the only way my non-root administrative user
can access /tmp is in the sysadm_r role. In the staff_r or secadm_r
roles, the user can't access /tmp.
I looked in /var/log/secure for messages and I see the /tmp directory
being set up when the user logs. I get messages like:
Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): poly_name
system_u:object_r:staff_tmp_t:SystemLow_ljk
Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): Inst ctxt
system_u:object_r:staff_tmp_t:SystemLow Orig ctxt
system_u:object_r:tmp_t:SystemLow-s15:c0.c1023
but I don't see any messages for any of the newroles. Now
this is starting to ring a bell. Didn't someone mention something recently
about configuring pam for newrole? My system is installed using the latest
kitstart script but maybe there's a problem with the setup?
I also can't get to the home directory for any user so I've got
problems there too.
Klaus, are you seeing the same behavior?
Does anyone have a configuration with polyinstantiation working? If so,
any advice?
--ljk
More information about the redhat-lspp
mailing list