On Mon, 26 Jun 2006 18:23:48 CDT, Joe Nall said:
> > Out of curiosity, if it's confined to 'Secret only', is it able to
> > open the mingetty binary? What, if any, avc's get generated when
> > you try this?
>
> None that appear related.
> Jun 26 18:21:16 cipso kernel: audit(1151364076.286:200): avc:
> denied { mounton } for pid=4226 comm="login"
> name="polyinstantiated" dev=dm-0 ino=36864115
> scontext=system_u:system_r:local_login_t:s2
> tcontext=user_u:object_r:user_t:s0 tclass=dir
Let me guess - it lives long enough to prompt for a userid/password, and
then dies? This looks like the namespace.init stuff failing to work - you
probably need to check namespace.conf and make sure the 'polyinstantiated'
directory has a label that local_login_t:s2 can mount onto. Failing that,
add 'debug' to the pam.d line for namespaces:
session required pam_namespace.so debug
and then go see if anything useful pops up in /var/log/secure
Attachment:
pgpTQiLl8YVx3.pgp
Description: PGP signature