[redhat-lspp] /tmp polyinstantiation and the man command
Stephen Smalley
sds at tycho.nsa.gov
Tue Nov 28 13:09:25 UTC 2006
On Mon, 2006-11-27 at 18:46 -0500, Linda Knippers wrote:
> During today's conference call I mentioned a problem I'm seeing
> where the man command doesn't work for certain users in certain
> roles. I also mentioned separately that I have a problem accessing
> /tmp at times. Turns out these problems are related. Whenever I
> can't access /tmp the man command will fail. I hadn't noticed an
> AVC deny before but there's one from the mktemp command:
>
> type=AVC msg=audit(1164668073.122:853): avc: denied { write } for pid=5160
> comm="mktemp" name="system_u:object_r:staff_tmp_t:SystemLow_ljk" dev=dm-0
> ino=1015810 scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:default_t:s0 tclass=dir
> type=SYSCALL msg=audit(1164668073.122:853): arch=40000003 syscall=5 success=no
> exit=-13 a0=9a80008 a1=c2 a2=180 a3=9a80008 items=0 ppid=5156 pid=5160 auid=501
> uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1
> comm="mktemp" exe="/bin/mktemp" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
> key=(null)
>
> I get similar messages if I try:
> -bash-3.1$ touch /tmp/foo
> touch: cannot touch `/tmp/foo': Permission denied
>
> With my current example, the only way my non-root administrative user
> can access /tmp is in the sysadm_r role. In the staff_r or secadm_r
> roles, the user can't access /tmp.
>
> I looked in /var/log/secure for messages and I see the /tmp directory
> being set up when the user logs. I get messages like:
>
> Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): poly_name
> system_u:object_r:staff_tmp_t:SystemLow_ljk
> Nov 27 18:15:57 kipper sshd[5661]: pam_namespace(sshd:session): Inst ctxt
> system_u:object_r:staff_tmp_t:SystemLow Orig ctxt
> system_u:object_r:tmp_t:SystemLow-s15:c0.c1023
>
> but I don't see any messages for any of the newroles. Now
> this is starting to ring a bell. Didn't someone mention something recently
> about configuring pam for newrole? My system is installed using the latest
> kitstart script but maybe there's a problem with the setup?
>
> I also can't get to the home directory for any user so I've got
> problems there too.
>
> Klaus, are you seeing the same behavior?
>
> Does anyone have a configuration with polyinstantiation working? If so,
> any advice?
Version of policycoreutils-newrole and selinux-policy-mls?
Contents of /etc/pam.d/newrole?
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list