On Mon, 26 Jun 2006 18:23:48 CDT, Joe Nall said: > > Out of curiosity, if it's confined to 'Secret only', is it able to > > open the mingetty binary? What, if any, avc's get generated when > > you try this? > > None that appear related.
> Jun 26 18:21:16 cipso kernel: audit(1151364076.286:200): avc:
> denied { mounton } for pid=4226 comm="login"
> name="polyinstantiated" dev=dm-0 ino=36864115
> scontext=system_u:system_r:local_login_t:s2
> tcontext=user_u:object_r:user_t:s0 tclass=dir
Let me guess - it lives long enough to prompt for a userid/password, and
then dies? This looks like the namespace.init stuff failing to work - you
probably need to check namespace.conf and make sure the 'polyinstantiated'
directory has a label that local_login_t:s2 can mount onto. Failing that,
add 'debug' to the pam.d line for namespaces:
session required pam_namespace.so debug
and then go see if anything useful pops up in /var/log/secure
pgpCBdNVIZ22C.pgp
Description: PGP signature
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
