On Sun, 2006-06-25 at 12:55 -0500, Joe Nall wrote: > I added the following line to the end of /etc/pam.d/[login,sshd,su] > session required pam_namespace.so debug > > I added the following line to /etc/security/namespace.conf > /var/polyinstantiated /var/polyinstantiated/polyinstantiated- > inst/ context root,adm > > If I ssh to test@localhost and touch /var/polyinstantiated/foo I get > > cd /var > [root@cipso var]# ls -lR polyinstantiated/ > polyinstantiated/: > total 20 > d--------- 3 root root 4096 Jun 23 18:32 polyinstantiated-inst > > polyinstantiated/polyinstantiated-inst: > total 8 > drwxrwxrwx 2 root root 4096 Jun 23 18:41 test > > polyinstantiated/polyinstantiated-inst/test: > total 8 > -rw-rw-r-- 1 test test 0 Jun 23 18:41 bar > -rw-rw-r-- 1 test test 0 Jun 23 18:35 foo > > Shouldn't the instance name be the context instead of the username > (test)? > > joe > > Can you tell me if this happens for login as well as ssh? and if your /etc/pam.d/[login,ssh] files are also stacking the pam_selinux module. Since you are using the debug option, /var/log/secure should have a bunch of pam_namepsace options connected to this session. Can you tell me what the "poly_name ..." and "Inst ctxt .." messages look like? Currently the namespace module switches to the "user" mode even if the namespace.conf specifies "context" or "both" in the event that the program has not requested a context change for the next exec using setexeccon. Thanks. -Janak > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
