[redhat-lspp] /tmp polyinstantiation and the man command

Stephen Smalley sds at tycho.nsa.gov
Tue Nov 28 13:09:25 UTC 2006 

On Mon, 2006-11-27 at 18:46 -0500, Linda Knippers wrote:
> During today's conference call I mentioned a problem I'm seeing
> where the man command doesn't work for certain users in certain
> roles.  I also mentioned separately that I have a problem accessing
> /tmp at times.  Turns out these problems are related.  Whenever I
> can't access /tmp the man command will fail.  I hadn't noticed an
> AVC deny before but there's one from the mktemp command:
> 
> type=AVC msg=audit(1164668073.122:853): avc:  denied  { write } for  pid=5160
> comm="mktemp" name="system_u:object_r:staff_tmp_t:SystemLow_ljk" dev=dm-0
> ino=1015810 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:default_t:s0 tclass=dir
> type=SYSCALL msg=audit(1164668073.122:853): arch=40000003 syscall=5 success=no
> exit=-13 a0=9a80008 a1=c2 a2=180 a3=9a80008 items=0 ppid=5156 pid=5160 auid=501
> uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1
> comm="mktemp" exe="/bin/mktemp" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
> key=(null)
> 
> I get similar messages if I try:
> -bash-3.1$ touch /tmp/foo
> touch: cannot touch `/tmp/foo': Permission denied
> 
> With my current example, the only way my non-root administrative user
> can access /tmp is in the sysadm_r role.  In the staff_r or secadm_r
> roles, the user can't access /tmp.
> 
> I looked in /var/log/secure for messages and I see the /tmp directory
> being set up when the user logs.  I get messages like:
> 
> Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): poly_name
> system_u:object_r:staff_tmp_t:SystemLow_ljk
> Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): Inst ctxt
> system_u:object_r:staff_tmp_t:SystemLow Orig ctxt
> system_u:object_r:tmp_t:SystemLow-s15:c0.c1023
> 
> but I don't see any messages for any of the newroles.  Now
> this is starting to ring a bell.  Didn't someone mention something recently
> about configuring pam for newrole?  My system is installed using the latest
> kitstart script but maybe there's a problem with the setup?
> 
> I also can't get to the home directory for any user so I've got
> problems there too.
> 
> Klaus, are you seeing the same behavior?
> 
> Does anyone have a configuration with polyinstantiation working?  If so,
> any advice?

Version of policycoreutils-newrole and selinux-policy-mls?
Contents of /etc/pam.d/newrole?

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list