[redhat-lspp] Re: some additional pam_namespace issues ..
Stephen Smalley
sds at tycho.nsa.gov
Thu Feb 16 17:41:34 UTC 2006
On Thu, 2006-02-16 at 12:10 -0500, JANAK DESAI wrote:
> I have unit tested this and it works well. Does anyone see any
> issues in getting to the original directory in this manner?
Not offhand.
> The second is a question regarding su/getexeccon/getcon..
> The pam_namespace module uses pam session management
> hooks to create polyinstantiation instance directory based on
> the context returned by getexeccon. Since su no longer
> uses pam_selinux (which does a setexeccon), getexeccon
> in pam_namespace returns null. I am wondering if it is
> ok to use getcon() when getexeccon() returns null (indicating
> default policy behavior for the context of the next execed
> process)? If I use getcon(), su will re-polyinstantiate based
> on the correct new user id and the correct mls range,
> however the domain name used in instance directory
> will not reflect the domain of the shell executed by su.
> However, since we do not re-polyinstantiate on domain
> transitions through execs anyway, I am guessing using
> getcon() is acceptable. Thoughts?
Not sure I follow. Since we are no longer changing contexts via su, why
do we care about computing any context for the polyinstantiation? We
should only care about per-user polyinstantiation, which doesn't depend
on SELinux context at all there.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list