-----Original Message-----
From: fedora-selinux-list-bounces(a)redhat.com
[mailto:fedora-selinux-list-
bounces(a)redhat.com] On Behalf Of Tomas Mraz
Sent: Thursday, September 06, 2007 6:50 AM
To: fedora-selinux-list(a)redhat.com
Subject: Re: polyinstantiation of the /tmp dir
On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote:
> I'm trying to set up polyinstantiation of the /tmp directory using
> RHEL5. The /etc/security/namespace.conf file shows the following
line as
> needing to be uncommented out:
> /tmp /tmp-inst/ level root,adm
>
> The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file
describes
> the format of the /etc/security/namespace.conf file, and the
allowable
> values. For the <method> entry it lists the following
valid values:
> "user", "context", "both". It doesn't list
"level" as a valid value.
> However, "level" is the only value that I can get to work. With
"user",
> "context", or "both", I get the following
error when I attempt to
use
> newrole to change the level of my shell:
> "pam_open_session failed with Cannot make/remove an entry for
> the specified session"
>
> Any ideas as to why?
There can be various reasons. Use the 'debug' option of pam_namespace
to
get some debug messages in /var/log/secure which may give some more
insight on this.
> And what other values are valid other than "level"
The documentation is a little bit outdated. The valid values are
"user",
"context" and "level".
Could you explain the difference between "level" and "context"? Here
is
what I'm seeing:
If I have "/tmp /tmp-inst/ level
root,adm" in the namespace.conf file, when I use the command "newrole -l
s4:c10,c20", I get the following entry under the /tmp-inst directory:
system_u:object_r:tmp_t:s4:c10,c20-s4:c0.c255_mr_clarkson. This entry
contains both my name as well as the full security context of the shell
that I've newroled to (the destination shell).
If I have "/tmp /tmp-inst/ context root,adm" in the
namespace.conf file, when I use the command "newrole -l s4:c10,c20", I
get the following entry under the /tmp-inst directory:
system_u:object_r:tmp_t:s0-s15:c0.c255_mr_clarkson. This entry contains
both my name as well as the full security context of the shell that I've
newroled from (the origination shell).
Is this the expected behavior?
Thanks
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list