[redhat-lspp] pam_namespace is broken from an SELinux perspective.
Stephen Smalley
sds at tycho.nsa.gov
Thu Dec 7 20:00:47 UTC 2006
On Thu, 2006-12-07 at 14:54 -0500, Linda Knippers wrote:
> Stephen Smalley wrote:
> >>Should I also get a new set of directories if I use newrole to switch
> >>roles? I don't (and not sure I want to) but I'm wondering if I'm
> >>supposed to since the man page says its polyinstantiates based on
> >>"context" and when I change roles, my context changes, right?
> >
> >
> > Correct - it was intended to be general and support role/domain-based
> > instantiation as well as level instantiation, but Dan's patch drops that
> > support and hardcodes the level instantiation. Which is simpler and
> > yields the desired behavior for MLS and LSPP, at a cost in generality.
> > The more general fix may take more effort (small kernel patch to adjust
> > the logic or policy and labeling adjustments to work around).
>
> I kind of like the way its working now. I don't necessarily want a new
> home directory when I switch roles. I think if the code get changes, it
> would be nice to have the behavior selectable. Right now the options are
> to instantiate based on name, context or both. Having the option to
> instantiate on the full context or just the level would be nice.
Then I'd suggest renaming the current "context" option to "level"
everywhere so that there is no confusion and so that one can later add
"context" or "role" without conflict. As well as fixing the other
issues I noted with the patch.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list