> -----Original Message----- > From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list- > bounces@xxxxxxxxxx] On Behalf Of Tomas Mraz > Sent: Thursday, September 06, 2007 6:50 AM > To: fedora-selinux-list@xxxxxxxxxx > Subject: Re: polyinstantiation of the /tmp dir > > On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote: > > I'm trying to set up polyinstantiation of the /tmp directory using > > RHEL5. The /etc/security/namespace.conf file shows the following line as > > needing to be uncommented out: > > /tmp /tmp-inst/ level root,adm > > > > The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file describes > > the format of the /etc/security/namespace.conf file, and the allowable > > values. For the <method> entry it lists the following valid values: > > "user", "context", "both". It doesn't list "level" as a valid value. > > However, "level" is the only value that I can get to work. With "user", > > "context", or "both", I get the following error when I attempt to use > > newrole to change the level of my shell: > > "pam_open_session failed with Cannot make/remove an entry for > > the specified session" > > > > Any ideas as to why? > There can be various reasons. Use the 'debug' option of pam_namespace to > get some debug messages in /var/log/secure which may give some more > insight on this. > > > And what other values are valid other than "level" > The documentation is a little bit outdated. The valid values are "user", > "context" and "level". > Could you explain the difference between "level" and "context"? Here is what I'm seeing: If I have "/tmp /tmp-inst/ level root,adm" in the namespace.conf file, when I use the command "newrole -l s4:c10,c20", I get the following entry under the /tmp-inst directory: system_u:object_r:tmp_t:s4:c10,c20-s4:c0.c255_mr_clarkson. This entry contains both my name as well as the full security context of the shell that I've newroled to (the destination shell). If I have "/tmp /tmp-inst/ context root,adm" in the namespace.conf file, when I use the command "newrole -l s4:c10,c20", I get the following entry under the /tmp-inst directory: system_u:object_r:tmp_t:s0-s15:c0.c255_mr_clarkson. This entry contains both my name as well as the full security context of the shell that I've newroled from (the origination shell). Is this the expected behavior? Thanks > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
