[redhat-lspp] pam_namespace is broken from an SELinux perspective.
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 7 16:17:44 UTC 2006
I am trying to fix the problems with polyinstatiation and SELinux Policy
in MLS.
I have found that the way pam_namespace works is broken from an SELinux
point of view.
If I setup the /tmp directory to polyinstatiate and I log in as a
staff_t, I end up with /tmp mounted as staff_tmp_t instead of tmp_t.
This is wrong, since confined apps that I run as a user expect tmp_t.
Similarly /home/dwalsh gets mounted as staff_home_t instead of
staff_home_dir_t. This causes all of the transitions to fail.
The problem is the pam_namespace is asking the system if staff_t creates
a directory in tmp_t how should it be created. The system responds
staff_tmp_t. What pam_namespace should be doing is taking the directory
tmp_t and replacing it's MLS level with the level of the user. That is all.
So staff_t loging in as s0:c1
will end up with /tmp being
system_u:object_r:tmp_t:s0:c1
And /home/dwalsh
system_u:object_r:staff_home_dir_t:s0:c1
I am trying out a patched version of pam_namespace to see if this fixes
the problem.
Am I makeing the correct assumption.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam-0.99.6.2-selinux-namespace.patch
Type: text/x-patch
Size: 2092 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061207/3e88fd7f/attachment.bin>
More information about the redhat-lspp
mailing list