On Jun 26, 2006, at 8:46 AM, Janak Desai wrote:
Can you tell me if this happens for login as well as ssh? and if your
/etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
I've been tesing using su/ssh from an xterm in MLS/permissive.
If I login as user 'test' to a virtual terminal, the context is
'root:object_r:var_t:SystemLow'. Shouldn't it be
'user_u:user_r:user_t:SystemLow'? That is what 'id -Z' shows after I
login.
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
session required pam_namespace.so debug
/etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the
"wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
session required pam_namespace.so debug unmt_remnt
/etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
session required pam_namespace.so debug
Since you are using the debug option, /var/log/secure should have a
bunch of pam_namepsace options connected to this session. Can you tell
me what the "poly_name ..." and "Inst ctxt .." messages look like?
For the virtual terminal login case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened
for user testdev by LOGIN(uid=0)
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
open_session - start
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing
config file /etc/security/namespace.conf
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured
poly dirs:
Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/
polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=1
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 0
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 3
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up
namespace for pid 6703
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly
ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting
poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set
namespace for directory /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): member
context returned by policy root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst
context root:object_r:var_t:SystemLow Orig context
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
instance_dir /var/polyinstantiated/polyinstantiated-inst/
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace
setup ok for pid 6703
For the ssh from another machine case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened
for user testdev by LOGIN(uid=0)
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
open_session - start
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing
config file /etc/security/namespace.conf
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured
poly dirs:
Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/
polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=1
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 0
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 3
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up
namespace for pid 6703
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly
ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting
poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set
namespace for directory /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): member
context returned by policy root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst
context root:object_r:var_t:SystemLow Orig context
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
instance_dir /var/polyinstantiated/polyinstantiated-inst/
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace
setup ok for pid 6703
ssh test@localhost case (why is this different?)
Jun 26 11:21:52 cipso sshd[2548]: pam_unix(sshd:session): session
opened for user testdev by (uid=0)
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
open_session - start
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Parsing config file /etc/security/namespace.conf
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Configured poly dirs:
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): dir='/
var/polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=0
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
override user 0
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
override user 3
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set up
namespace for pid 2548
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Checking for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Need
poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Checking for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Setting poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set
namespace for directory /var/polyinstantiated
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
poly_name testdev
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Inst
context (null) Orig context root:object_r:var_t:SystemLow
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
instance_dir /var/polyinstantiated/polyinstantiated-inst/testdev
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
namespace setup ok for pid 2548
For the su - test case
Jun 26 11:10:00 cipso su: pam_unix(su:session): session opened for
user testdev by root(uid=0)
Jun 26 11:10:00 cipso su: pam_namespace(su:session): open_session -
start
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Parsing config
file /etc/security/namespace.conf
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Configured poly
dirs:
Jun 26 11:10:00 cipso su: pam_namespace(su:session): dir='/var/
polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=0
Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 0
Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 3
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set up namespace
for pid 6784
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns
override in dir /var/polyinstantiated for uid 500
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Need poly ns for
user 500 for dir /var/polyinstantiated
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns
override in dir /var/polyinstantiated for uid 500
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Setting poly ns
for user 500 for dir /var/polyinstantiated
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set namespace
for directory /var/polyinstantiated
Jun 26 11:10:00 cipso su: pam_namespace(su:session): poly_name testdev
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Inst context
(null) Orig context root:object_r:var_t:SystemLow
Jun 26 11:10:00 cipso su: pam_namespace(su:session): instance_dir /
var/polyinstantiated/polyinstantiated-inst/testdev
Jun 26 11:10:00 cipso su: pam_namespace(su:session): namespace setup
ok for pid 6784
Currently the namespace module switches to the "user" mode even if
the namespace.conf specifies "context" or "both" in the event that
the program has not requested a context change for the next exec using
setexeccon.
Thanks.
-Janak
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
