On Thu, 2007-09-06 at 10:33 -0700, Clarkson, Mike R (US SSA) wrote: > > > -----Original Message----- > > From: fedora-selinux-list-bounces@xxxxxxxxxx > [mailto:fedora-selinux-list- > > bounces@xxxxxxxxxx] On Behalf Of Tomas Mraz > > Sent: Thursday, September 06, 2007 6:50 AM > > To: fedora-selinux-list@xxxxxxxxxx > > Subject: Re: polyinstantiation of the /tmp dir > > > > On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote: > > > I'm trying to set up polyinstantiation of the /tmp directory using > > > RHEL5. The /etc/security/namespace.conf file shows the following > line as > > > needing to be uncommented out: > > > /tmp /tmp-inst/ level root,adm > > > > > > The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file > describes > > > the format of the /etc/security/namespace.conf file, and the > allowable > > > values. For the <method> entry it lists the following valid values: > > > "user", "context", "both". It doesn't list "level" as a valid value. > > > However, "level" is the only value that I can get to work. With > "user", > > > "context", or "both", I get the following error when I attempt to > use > > > newrole to change the level of my shell: > > > "pam_open_session failed with Cannot make/remove an entry for > > > the specified session" > > > > > > Any ideas as to why? > > There can be various reasons. Use the 'debug' option of pam_namespace > to > > get some debug messages in /var/log/secure which may give some more > > insight on this. > > > > > And what other values are valid other than "level" > > The documentation is a little bit outdated. The valid values are > "user", > > "context" and "level". > > > > Could you explain the difference between "level" and "context"? Here is > what I'm seeing: > > If I have "/tmp /tmp-inst/ level > root,adm" in the namespace.conf file, when I use the command "newrole -l > s4:c10,c20", I get the following entry under the /tmp-inst directory: > system_u:object_r:tmp_t:s4:c10,c20-s4:c0.c255_mr_clarkson. This entry > contains both my name as well as the full security context of the shell > that I've newroled to (the destination shell). > > If I have "/tmp /tmp-inst/ context root,adm" in the > namespace.conf file, when I use the command "newrole -l s4:c10,c20", I > get the following entry under the /tmp-inst directory: > system_u:object_r:tmp_t:s0-s15:c0.c255_mr_clarkson. This entry contains > both my name as well as the full security context of the shell that I've > newroled from (the origination shell). > > Is this the expected behavior? At present, you shouldn't really use the context option at all. It may eventually get used for role-based polyinstantiation, but that isn't clear right now. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
