I am trying to fix the problems with polyinstatiation and SELinux Policy
in MLS.
I have found that the way pam_namespace works is broken from an SELinux
point of view.
If I setup the /tmp directory to polyinstatiate and I log in as a
staff_t, I end up with /tmp mounted as staff_tmp_t instead of tmp_t.
This is wrong, since confined apps that I run as a user expect tmp_t.
Similarly /home/dwalsh gets mounted as staff_home_t instead of
staff_home_dir_t. This causes all of the transitions to fail.
The problem is the pam_namespace is asking the system if staff_t creates
a directory in tmp_t how should it be created. The system responds
staff_tmp_t. What pam_namespace should be doing is taking the directory
tmp_t and replacing it's MLS level with the level of the user. That is all.
So staff_t loging in as s0:c1
will end up with /tmp being
system_u:object_r:tmp_t:s0:c1
And /home/dwalsh
system_u:object_r:staff_home_dir_t:s0:c1
I am trying out a patched version of pam_namespace to see if this fixes
the problem.
Am I makeing the correct assumption.
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h~ 2006-12-07 10:38:43.000000000 -0500
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2006-12-07 10:40:50.000000000 -0500
@@ -63,6 +63,7 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/context.h>
#endif
#ifndef CLONE_NEWNS
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c~ 2006-12-07 10:38:43.000000000 -0500
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2006-12-07 10:40:17.000000000 -0500
@@ -455,23 +455,20 @@
* polyinstantiated instance directory.
*/
if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
+ context scontext;
+ context fcontext;
rc = getexeccon(&scon);
if (rc < 0 || scon == NULL) {
pam_syslog(idata->pamh, LOG_ERR,
"Error getting exec context, %m");
return PAM_SESSION_ERR;
}
- tclass = string_to_security_class("dir");
-
- if (security_compute_member(scon, *origcon, tclass,
- i_context) < 0) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Error computing poly dir member context");
- freecon(scon);
- return PAM_SESSION_ERR;
- } else if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
- "member context returned by policy %s", *i_context);
+ scontext = context_new(scon);
+ fcontext = context_new(oricon);
+ context_range_set(fcontext, context_range_get(scontext));
+ i_context=strdup(context_str(fcontext));
+ context_free(scontext);
+ context_free(fcontext);
freecon(scon);
}
return PAM_SUCCESS;
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf~ 2006-06-27 09:07:43.000000000 -0400
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf 2006-12-07 10:39:13.000000000 -0500
@@ -25,6 +25,6 @@
# caution, as it will reduce security and isolation achieved by
# polyinstantiation.
#
-#/tmp /tmp-inst/ both root,adm
+#/tmp /tmp/tmp-inst/ both root,adm
#/var/tmp /var/tmp/tmp-inst/ both root,adm
-#$HOME $HOME/$USER.inst/inst- context
+#$HOME $HOME/$USER.inst/ context root,adm
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
