[redhat-lspp] /tmp polyinstantiation and the man command
Stephen Smalley
sds at tycho.nsa.gov
Tue Nov 28 17:54:35 UTC 2006
On Tue, 2006-11-28 at 11:01 -0500, Linda Knippers wrote:
> Stephen Smalley wrote:
> > On Tue, 2006-11-28 at 10:41 -0500, Linda Knippers wrote:
> >
> >>Stephen Smalley wrote:
> >>
> >>
> >>>Version of policycoreutils-newrole and selinux-policy-mls?
> >>>Contents of /etc/pam.d/newrole?
> >>
> >>Sorry, I'd mentioned in the call that I was running the latest from
> >>Dan's people page but omitted it from the mail. I have these
> >>rpms.
> >>
> >>policycoreutils-1.33.2-2.el5
> >>policycoreutils-newrole-1.33.2-2.el5
> >>selinux-policy-mls-2.4.5-3.el5
> >>selinux-policy-2.4.5-3.el5
> >>
> >>/etc/pam.d/newrole has this:
> >>#%PAM-1.0
> >>auth include system-auth
> >>account include system-auth
> >>password include system-auth
> >>session include system-auth
> >>session optional pam_xauth.so
> >
> >
> > I would have expected the latter to include:
> > session required pam_namespace.so unmnt_remnt no_unmount_on_close
>
> I added that line but I don't see any difference in behavior. I added
> it at the end. Does the location matter? (Sorry for the dumb pam question).
Possibly, e.g. if there is a sufficient or requisite module in the
system-auth stack. Easiest thing to do is to move it up to the first
one and try again. But now I am wondering whether that policycoreutils
was built with LSPP_PRIV=y, which is required to enable the audit and
namespace functionality. The fedora devel .spec file still has
LOG_AUDIT_PRIV=y, which was the old flag for building with audit support
and no longer is used.
ls -l /usr/bin/newrole
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list