Re: Polyinstantiated directory instance name bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2006-06-26 at 11:29 -0500, Joe Nall wrote:
> On Jun 26, 2006, at 8:46 AM, Janak Desai wrote:
> 
> >
> > Can you tell me if this happens for login as well as ssh? and if your
> > /etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
> 
> I've been tesing using su/ssh from an xterm in MLS/permissive.
> 
> If I login as user 'test' to a virtual terminal, the context is  
> 'root:object_r:var_t:SystemLow'. Shouldn't it be  
> 'user_u:user_r:user_t:SystemLow'? That is what 'id -Z' shows after I  
> login.
> 
> /etc/pam.d/login
> #%PAM-1.0
> auth       required     pam_securetty.so
> auth       include      system-auth
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    include      system-auth
> session    required     pam_loginuid.so
> session    optional     pam_console.so
> # pam_selinux.so open should be the last session rule
> session    required     pam_selinux.so open
> session    required     pam_namespace.so debug
> 
> /etc/pam.d/su
> #%PAM-1.0
> auth            sufficient      pam_rootok.so
> # Uncomment the following line to implicitly trust users in the  
> "wheel" group.
> #auth           sufficient      pam_wheel.so trust use_uid
> # Uncomment the following line to require a user to be in the "wheel"  
> group.
> #auth           required        pam_wheel.so use_uid
> auth            include         system-auth
> account         include         system-auth
> password        include         system-auth
> session         include         system-auth
> session         optional        pam_xauth.so
> session         required        pam_namespace.so debug unmt_remnt
> 
> /etc/pam.d/sshd
> #%PAM-1.0
> auth       include      system-auth
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> session    include      system-auth
> session    required     pam_loginuid.so
> session    required     pam_namespace.so debug
> 
> 
> > Since you are using the debug option, /var/log/secure should have a
> > bunch of pam_namepsace options connected to this session. Can you tell
> > me what the "poly_name ..." and "Inst ctxt .." messages look like?
> 
> For the virtual terminal login case
> 
> Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened  
> for user testdev by LOGIN(uid=0)
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):  
> open_session - start
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing  
> config file /etc/security/namespace.conf
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured  
> poly dirs:
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/ 
> polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- 
> inst/' meth=1
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override  
> user 0
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override  
> user 3
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up  
> namespace for pid 6703
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking  
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly  
> ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking  
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting  
> poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set  
> namespace for directory /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): member  
> context returned by policy root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name  
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst  
> context root:object_r:var_t:SystemLow Orig context  
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):  
> instance_dir /var/polyinstantiated/polyinstantiated-inst/ 
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace  
> setup ok for pid 6703
> 
> For the ssh from another machine case
> 
> Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened  
> for user testdev by LOGIN(uid=0)
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):  
> open_session - start
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing  
> config file /etc/security/namespace.conf
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured  
> poly dirs:
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/ 
> polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- 
> inst/' meth=1
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override  
> user 0
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): override  
> user 3
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up  
> namespace for pid 6703
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking  
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly  
> ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking  
> for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting  
> poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set  
> namespace for directory /var/polyinstantiated
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): member  
> context returned by policy root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name  
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst  
> context root:object_r:var_t:SystemLow Orig context  
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session):  
> instance_dir /var/polyinstantiated/polyinstantiated-inst/ 
> root:object_r:var_t:SystemLow
> Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace  
> setup ok for pid 6703
> 
> ssh test@localhost case (why is this different?)
> 
> Jun 26 11:21:52 cipso sshd[2548]: pam_unix(sshd:session): session  
> opened for user testdev by (uid=0)
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> open_session - start
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> Parsing config file /etc/security/namespace.conf
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> Configured poly dirs:
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): dir='/ 
> var/polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- 
> inst/' meth=0
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> override user 0
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> override user 3
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set up  
> namespace for pid 2548
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> Checking for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Need  
> poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> Checking for ns override in dir /var/polyinstantiated for uid 500
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> Setting poly ns for user 500 for dir /var/polyinstantiated
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set  
> namespace for directory /var/polyinstantiated
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> poly_name testdev
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Inst  
> context (null) Orig context root:object_r:var_t:SystemLow
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> instance_dir /var/polyinstantiated/polyinstantiated-inst/testdev
> Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):  
> namespace setup ok for pid 2548
> 
> For the su - test case
> 
> Jun 26 11:10:00 cipso su: pam_unix(su:session): session opened for  
> user testdev by root(uid=0)
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): open_session -  
> start
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Parsing config  
> file /etc/security/namespace.conf
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Configured poly  
> dirs:
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): dir='/var/ 
> polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- 
> inst/' meth=0
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 0
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 3
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set up namespace  
> for pid 6784
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns  
> override in dir /var/polyinstantiated for uid 500
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Need poly ns for  
> user 500 for dir /var/polyinstantiated
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns  
> override in dir /var/polyinstantiated for uid 500
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Setting poly ns  
> for user 500 for dir /var/polyinstantiated
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set namespace  
> for directory /var/polyinstantiated
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): poly_name testdev
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): Inst context  
> (null) Orig context root:object_r:var_t:SystemLow
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): instance_dir / 
> var/polyinstantiated/polyinstantiated-inst/testdev
> Jun 26 11:10:00 cipso su: pam_namespace(su:session): namespace setup  
> ok for pid 6784
> 
> 

Thanks for the info. The context in the "context" mode of polyinstantiating
is not automatically set to the context of the shell, but it is set to the
context returned by security_compute_member(). security_compute_member() asks 
the policy to compute the security context of a polyinstantiated member/instance
based on the source (which in this case is the shell) context, and the context
of the directory to polyinstantiate. 

I will sync with the latest policy sources from rawhide, experiment with the 
type-member rules and let you know how you can control context of polyinstantiated
instances.

-Janak

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux