Polyinstantiated directory instance name bug?
Joe Nall
joe at nall.com
Mon Jun 26 16:29:41 UTC 2006
On Jun 26, 2006, at 8:46 AM, Janak Desai wrote:
>
> Can you tell me if this happens for login as well as ssh? and if your
> /etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
I've been tesing using su/ssh from an xterm in MLS/permissive.
If I login as user 'test' to a virtual terminal, the context is
'root:object_r:var_t:SystemLow'. Shouldn't it be
'user_u:user_r:user_t:SystemLow'? That is what 'id -Z' shows after I
login.
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
session required pam_namespace.so debug
/etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the
"wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
session required pam_namespace.so debug unmt_remnt
/etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
session required pam_namespace.so debug
> Since you are using the debug option, /var/log/secure should have a
> bunch of pam_namepsace options connected to this session. Can you tell
> me what the "poly_name ..." and "Inst ctxt .." messages look like?
For the virtual terminal login case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened
for user testdev by LOGIN(uid=0)
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
open_session - start
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing
config file /etc/security/namespace.conf
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured
poly dirs:
Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/
polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=1
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 0
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 3
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up
namespace for pid 6703
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly
ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting
poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set
namespace for directory /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): member
context returned by policy root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst
context root:object_r:var_t:SystemLow Orig context
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
instance_dir /var/polyinstantiated/polyinstantiated-inst/
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace
setup ok for pid 6703
For the ssh from another machine case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened
for user testdev by LOGIN(uid=0)
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
open_session - start
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing
config file /etc/security/namespace.conf
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured
poly dirs:
Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/
polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=1
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 0
Jun 26 11:05:56 cipso login: pam_namespace(login:session): override
user 3
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up
namespace for pid 6703
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly
ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking
for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting
poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set
namespace for directory /var/polyinstantiated
Jun 26 11:05:56 cipso login: pam_namespace(login:session): member
context returned by policy root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst
context root:object_r:var_t:SystemLow Orig context
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session):
instance_dir /var/polyinstantiated/polyinstantiated-inst/
root:object_r:var_t:SystemLow
Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace
setup ok for pid 6703
ssh test at localhost case (why is this different?)
Jun 26 11:21:52 cipso sshd[2548]: pam_unix(sshd:session): session
opened for user testdev by (uid=0)
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
open_session - start
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Parsing config file /etc/security/namespace.conf
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Configured poly dirs:
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): dir='/
var/polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=0
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
override user 0
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
override user 3
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set up
namespace for pid 2548
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Checking for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Need
poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Checking for ns override in dir /var/polyinstantiated for uid 500
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
Setting poly ns for user 500 for dir /var/polyinstantiated
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set
namespace for directory /var/polyinstantiated
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
poly_name testdev
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Inst
context (null) Orig context root:object_r:var_t:SystemLow
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
instance_dir /var/polyinstantiated/polyinstantiated-inst/testdev
Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session):
namespace setup ok for pid 2548
For the su - test case
Jun 26 11:10:00 cipso su: pam_unix(su:session): session opened for
user testdev by root(uid=0)
Jun 26 11:10:00 cipso su: pam_namespace(su:session): open_session -
start
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Parsing config
file /etc/security/namespace.conf
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Configured poly
dirs:
Jun 26 11:10:00 cipso su: pam_namespace(su:session): dir='/var/
polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated-
inst/' meth=0
Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 0
Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 3
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set up namespace
for pid 6784
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns
override in dir /var/polyinstantiated for uid 500
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Need poly ns for
user 500 for dir /var/polyinstantiated
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns
override in dir /var/polyinstantiated for uid 500
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Setting poly ns
for user 500 for dir /var/polyinstantiated
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set namespace
for directory /var/polyinstantiated
Jun 26 11:10:00 cipso su: pam_namespace(su:session): poly_name testdev
Jun 26 11:10:00 cipso su: pam_namespace(su:session): Inst context
(null) Orig context root:object_r:var_t:SystemLow
Jun 26 11:10:00 cipso su: pam_namespace(su:session): instance_dir /
var/polyinstantiated/polyinstantiated-inst/testdev
Jun 26 11:10:00 cipso su: pam_namespace(su:session): namespace setup
ok for pid 6784
> Currently the namespace module switches to the "user" mode even if
> the namespace.conf specifies "context" or "both" in the event that
> the program has not requested a context change for the next exec using
> setexeccon.
>
> Thanks.
>
> -Janak
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list