Description of problem: pam_namespace does not work when SELinux is not available. Version-Release number of selected component (if applicable): pam-0.99.7.1-5.1.fc7 How reproducible: 100% Steps to Reproduce: 1. Boot your kernel with selinux=0 (or use a vanilla kernel w/o SELinux configured) 2. echo "/tmp /tmp-inst user root" >> /etc/security/namespace.conf 3. echo "session required pam_namespace.so debug" >> /etc/pam.d/su 4. mkdir /tmp-inst; chmod 000 /tmp-inst 5. su <some existing login name> Actual results: Su fails in session initialization with the following message in /var/log/secure: Sep 26 14:48:19 calypso su: pam_namespace(su-l:session): Error getting poly dir context, Operation not supported Expected results: When no SELinux features (such as "context" or "level" method) are requested in namespace.conf, pam_namespace should not fail. Additional info: I will attach a patch to fix this problem. I am also posting it to pam-devel list for further discussion.
Created attachment 207051 [details] Do not fail when SELinux is not available
Created attachment 207091 [details] Updated patch Oops, the patch file had the differences included twice. Fixed patch attached.
Created attachment 207161 [details] Correct patch We need the orig context set even for USER polyinstatiation when SELinux is enabled. So the original patch is not correct.
Works for me (and it is simpler than my version), thanks!
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping