I added the following line to the end of /etc/pam.d/[login,sshd,su] session required pam_namespace.so debug
I added the following line to /etc/security/namespace.conf /var/polyinstantiated /var/polyinstantiated/polyinstantiated- inst/ context root,adm
If I ssh to test@localhost and touch /var/polyinstantiated/foo I get
cd /var [root@cipso var]# ls -lR polyinstantiated/ polyinstantiated/: total 20 d--------- 3 root root 4096 Jun 23 18:32 polyinstantiated-inst
polyinstantiated/polyinstantiated-inst: total 8 drwxrwxrwx 2 root root 4096 Jun 23 18:41 test
polyinstantiated/polyinstantiated-inst/test: total 8 -rw-rw-r-- 1 test test 0 Jun 23 18:41 bar -rw-rw-r-- 1 test test 0 Jun 23 18:35 foo
Shouldn't the instance name be the context instead of the username (test)?
joe
On Sun, 2006-06-25 at 12:55 -0500, Joe Nall wrote:
I added the following line to the end of /etc/pam.d/[login,sshd,su] session required pam_namespace.so debug
I added the following line to /etc/security/namespace.conf /var/polyinstantiated /var/polyinstantiated/polyinstantiated- inst/ context root,adm
If I ssh to test@localhost and touch /var/polyinstantiated/foo I get
cd /var [root@cipso var]# ls -lR polyinstantiated/ polyinstantiated/: total 20 d--------- 3 root root 4096 Jun 23 18:32 polyinstantiated-inst
polyinstantiated/polyinstantiated-inst: total 8 drwxrwxrwx 2 root root 4096 Jun 23 18:41 test
polyinstantiated/polyinstantiated-inst/test: total 8 -rw-rw-r-- 1 test test 0 Jun 23 18:41 bar -rw-rw-r-- 1 test test 0 Jun 23 18:35 foo
Shouldn't the instance name be the context instead of the username (test)?
joe
Can you tell me if this happens for login as well as ssh? and if your /etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
Since you are using the debug option, /var/log/secure should have a bunch of pam_namepsace options connected to this session. Can you tell me what the "poly_name ..." and "Inst ctxt .." messages look like?
Currently the namespace module switches to the "user" mode even if the namespace.conf specifies "context" or "both" in the event that the program has not requested a context change for the next exec using setexeccon.
Thanks.
-Janak
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Jun 26, 2006, at 8:46 AM, Janak Desai wrote:
Can you tell me if this happens for login as well as ssh? and if your /etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
I've been tesing using su/ssh from an xterm in MLS/permissive.
If I login as user 'test' to a virtual terminal, the context is 'root:object_r:var_t:SystemLow'. Shouldn't it be 'user_u:user_r:user_t:SystemLow'? That is what 'id -Z' shows after I login.
/etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open session required pam_namespace.so debug
/etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session optional pam_xauth.so session required pam_namespace.so debug unmt_remnt
/etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_loginuid.so session required pam_namespace.so debug
Since you are using the debug option, /var/log/secure should have a bunch of pam_namepsace options connected to this session. Can you tell me what the "poly_name ..." and "Inst ctxt .." messages look like?
For the virtual terminal login case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened for user testdev by LOGIN(uid=0) Jun 26 11:05:56 cipso login: pam_namespace(login:session): open_session - start Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing config file /etc/security/namespace.conf Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured poly dirs: Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/ polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=1 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 0 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 3 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up namespace for pid 6703 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set namespace for directory /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): member context returned by policy root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst context root:object_r:var_t:SystemLow Orig context root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): instance_dir /var/polyinstantiated/polyinstantiated-inst/ root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace setup ok for pid 6703
For the ssh from another machine case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened for user testdev by LOGIN(uid=0) Jun 26 11:05:56 cipso login: pam_namespace(login:session): open_session - start Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing config file /etc/security/namespace.conf Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured poly dirs: Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/ polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=1 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 0 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 3 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up namespace for pid 6703 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set namespace for directory /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): member context returned by policy root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst context root:object_r:var_t:SystemLow Orig context root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): instance_dir /var/polyinstantiated/polyinstantiated-inst/ root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace setup ok for pid 6703
ssh test@localhost case (why is this different?)
Jun 26 11:21:52 cipso sshd[2548]: pam_unix(sshd:session): session opened for user testdev by (uid=0) Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): open_session - start Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Parsing config file /etc/security/namespace.conf Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Configured poly dirs: Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): dir='/ var/polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=0 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): override user 0 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): override user 3 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set up namespace for pid 2548 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set namespace for directory /var/polyinstantiated Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): poly_name testdev Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Inst context (null) Orig context root:object_r:var_t:SystemLow Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): instance_dir /var/polyinstantiated/polyinstantiated-inst/testdev Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): namespace setup ok for pid 2548
For the su - test case
Jun 26 11:10:00 cipso su: pam_unix(su:session): session opened for user testdev by root(uid=0) Jun 26 11:10:00 cipso su: pam_namespace(su:session): open_session - start Jun 26 11:10:00 cipso su: pam_namespace(su:session): Parsing config file /etc/security/namespace.conf Jun 26 11:10:00 cipso su: pam_namespace(su:session): Configured poly dirs: Jun 26 11:10:00 cipso su: pam_namespace(su:session): dir='/var/ polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=0 Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 0 Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 3 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set up namespace for pid 6784 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set namespace for directory /var/polyinstantiated Jun 26 11:10:00 cipso su: pam_namespace(su:session): poly_name testdev Jun 26 11:10:00 cipso su: pam_namespace(su:session): Inst context (null) Orig context root:object_r:var_t:SystemLow Jun 26 11:10:00 cipso su: pam_namespace(su:session): instance_dir / var/polyinstantiated/polyinstantiated-inst/testdev Jun 26 11:10:00 cipso su: pam_namespace(su:session): namespace setup ok for pid 6784
Currently the namespace module switches to the "user" mode even if the namespace.conf specifies "context" or "both" in the event that the program has not requested a context change for the next exec using setexeccon.
Thanks.
-Janak
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 2006-06-26 at 11:29 -0500, Joe Nall wrote:
On Jun 26, 2006, at 8:46 AM, Janak Desai wrote:
Can you tell me if this happens for login as well as ssh? and if your /etc/pam.d/[login,ssh] files are also stacking the pam_selinux module.
I've been tesing using su/ssh from an xterm in MLS/permissive.
If I login as user 'test' to a virtual terminal, the context is 'root:object_r:var_t:SystemLow'. Shouldn't it be 'user_u:user_r:user_t:SystemLow'? That is what 'id -Z' shows after I login.
/etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open session required pam_namespace.so debug
/etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session optional pam_xauth.so session required pam_namespace.so debug unmt_remnt
/etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_loginuid.so session required pam_namespace.so debug
Since you are using the debug option, /var/log/secure should have a bunch of pam_namepsace options connected to this session. Can you tell me what the "poly_name ..." and "Inst ctxt .." messages look like?
For the virtual terminal login case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened for user testdev by LOGIN(uid=0) Jun 26 11:05:56 cipso login: pam_namespace(login:session): open_session - start Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing config file /etc/security/namespace.conf Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured poly dirs: Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/ polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=1 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 0 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 3 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up namespace for pid 6703 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set namespace for directory /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): member context returned by policy root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst context root:object_r:var_t:SystemLow Orig context root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): instance_dir /var/polyinstantiated/polyinstantiated-inst/ root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace setup ok for pid 6703
For the ssh from another machine case
Jun 26 11:05:56 cipso login: pam_unix(login:session): session opened for user testdev by LOGIN(uid=0) Jun 26 11:05:56 cipso login: pam_namespace(login:session): open_session - start Jun 26 11:05:56 cipso login: pam_namespace(login:session): Parsing config file /etc/security/namespace.conf Jun 26 11:05:56 cipso login: pam_namespace(login:session): Configured poly dirs: Jun 26 11:05:56 cipso login: pam_namespace(login:session): dir='/var/ polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=1 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 0 Jun 26 11:05:56 cipso login: pam_namespace(login:session): override user 3 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set up namespace for pid 6703 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:05:56 cipso login: pam_namespace(login:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): Set namespace for directory /var/polyinstantiated Jun 26 11:05:56 cipso login: pam_namespace(login:session): member context returned by policy root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): poly_name root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): Inst context root:object_r:var_t:SystemLow Orig context root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): instance_dir /var/polyinstantiated/polyinstantiated-inst/ root:object_r:var_t:SystemLow Jun 26 11:05:56 cipso login: pam_namespace(login:session): namespace setup ok for pid 6703
ssh test@localhost case (why is this different?)
Jun 26 11:21:52 cipso sshd[2548]: pam_unix(sshd:session): session opened for user testdev by (uid=0) Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): open_session - start Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Parsing config file /etc/security/namespace.conf Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Configured poly dirs: Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): dir='/ var/polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=0 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): override user 0 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): override user 3 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set up namespace for pid 2548 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Set namespace for directory /var/polyinstantiated Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): poly_name testdev Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): Inst context (null) Orig context root:object_r:var_t:SystemLow Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): instance_dir /var/polyinstantiated/polyinstantiated-inst/testdev Jun 26 11:21:52 cipso sshd[2548]: pam_namespace(sshd:session): namespace setup ok for pid 2548
For the su - test case
Jun 26 11:10:00 cipso su: pam_unix(su:session): session opened for user testdev by root(uid=0) Jun 26 11:10:00 cipso su: pam_namespace(su:session): open_session - start Jun 26 11:10:00 cipso su: pam_namespace(su:session): Parsing config file /etc/security/namespace.conf Jun 26 11:10:00 cipso su: pam_namespace(su:session): Configured poly dirs: Jun 26 11:10:00 cipso su: pam_namespace(su:session): dir='/var/ polyinstantiated' iprefix='/var/polyinstantiated/polyinstantiated- inst/' meth=0 Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 0 Jun 26 11:10:00 cipso su: pam_namespace(su:session): override user 3 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set up namespace for pid 6784 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Need poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:10:00 cipso su: pam_namespace(su:session): Checking for ns override in dir /var/polyinstantiated for uid 500 Jun 26 11:10:00 cipso su: pam_namespace(su:session): Setting poly ns for user 500 for dir /var/polyinstantiated Jun 26 11:10:00 cipso su: pam_namespace(su:session): Set namespace for directory /var/polyinstantiated Jun 26 11:10:00 cipso su: pam_namespace(su:session): poly_name testdev Jun 26 11:10:00 cipso su: pam_namespace(su:session): Inst context (null) Orig context root:object_r:var_t:SystemLow Jun 26 11:10:00 cipso su: pam_namespace(su:session): instance_dir / var/polyinstantiated/polyinstantiated-inst/testdev Jun 26 11:10:00 cipso su: pam_namespace(su:session): namespace setup ok for pid 6784
Thanks for the info. The context in the "context" mode of polyinstantiating is not automatically set to the context of the shell, but it is set to the context returned by security_compute_member(). security_compute_member() asks the policy to compute the security context of a polyinstantiated member/instance based on the source (which in this case is the shell) context, and the context of the directory to polyinstantiate.
I will sync with the latest policy sources from rawhide, experiment with the type-member rules and let you know how you can control context of polyinstantiated instances.
-Janak
selinux@lists.fedoraproject.org