[redhat-lspp] /tmp polyinstantiation and the man command

Linda Knippers linda.knippers at hp.com
Mon Nov 27 23:46:34 UTC 2006 

During today's conference call I mentioned a problem I'm seeing
where the man command doesn't work for certain users in certain
roles.  I also mentioned separately that I have a problem accessing
/tmp at times.  Turns out these problems are related.  Whenever I
can't access /tmp the man command will fail.  I hadn't noticed an
AVC deny before but there's one from the mktemp command:

type=AVC msg=audit(1164668073.122:853): avc:  denied  { write } for  pid=5160
comm="mktemp" name="system_u:object_r:staff_tmp_t:SystemLow_ljk" dev=dm-0
ino=1015810 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:default_t:s0 tclass=dir
type=SYSCALL msg=audit(1164668073.122:853): arch=40000003 syscall=5 success=no
exit=-13 a0=9a80008 a1=c2 a2=180 a3=9a80008 items=0 ppid=5156 pid=5160 auid=501
uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1
comm="mktemp" exe="/bin/mktemp" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
key=(null)

I get similar messages if I try:
-bash-3.1$ touch /tmp/foo
touch: cannot touch `/tmp/foo': Permission denied

With my current example, the only way my non-root administrative user
can access /tmp is in the sysadm_r role.  In the staff_r or secadm_r
roles, the user can't access /tmp.

I looked in /var/log/secure for messages and I see the /tmp directory
being set up when the user logs.  I get messages like:

Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): poly_name
system_u:object_r:staff_tmp_t:SystemLow_ljk
Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): Inst ctxt
system_u:object_r:staff_tmp_t:SystemLow Orig ctxt
system_u:object_r:tmp_t:SystemLow-s15:c0.c1023

but I don't see any messages for any of the newroles.  Now
this is starting to ring a bell.  Didn't someone mention something recently
about configuring pam for newrole?  My system is installed using the latest
kitstart script but maybe there's a problem with the setup?

I also can't get to the home directory for any user so I've got
problems there too.

Klaus, are you seeing the same behavior?

Does anyone have a configuration with polyinstantiation working?  If so,
any advice?

--ljk

More information about the redhat-lspp mailing list