On Tue, 2006-11-28 at 11:01 -0500, Linda Knippers wrote: > Stephen Smalley wrote: > > On Tue, 2006-11-28 at 10:41 -0500, Linda Knippers wrote: > > > >>Stephen Smalley wrote: > >> > >> > >>>Version of policycoreutils-newrole and selinux-policy-mls? > >>>Contents of /etc/pam.d/newrole? > >> > >>Sorry, I'd mentioned in the call that I was running the latest from > >>Dan's people page but omitted it from the mail. I have these > >>rpms. > >> > >>policycoreutils-1.33.2-2.el5 > >>policycoreutils-newrole-1.33.2-2.el5 > >>selinux-policy-mls-2.4.5-3.el5 > >>selinux-policy-2.4.5-3.el5 > >> > >>/etc/pam.d/newrole has this: > >>#%PAM-1.0 > >>auth include system-auth > >>account include system-auth > >>password include system-auth > >>session include system-auth > >>session optional pam_xauth.so > > > > > > I would have expected the latter to include: > > session required pam_namespace.so unmnt_remnt no_unmount_on_close > > I added that line but I don't see any difference in behavior. I added > it at the end. Does the location matter? (Sorry for the dumb pam question).
Possibly, e.g. if there is a sufficient or requisite module in the system-auth stack. Easiest thing to do is to move it up to the first one and try again. But now I am wondering whether that policycoreutils was built with LSPP_PRIV=y, which is required to enable the audit and namespace functionality. The fedora devel .spec file still has LOG_AUDIT_PRIV=y, which was the old flag for building with audit support and no longer is used. ls -l /usr/bin/newrole -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
