Bug 306901 - pam_namespace does not work when SELinux is not available
pam_namespace does not work when SELinux is not available
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-26 09:17 EDT by Jan "Yenya" Kasprzak
Modified: 2008-06-03 05:55 EDT (History)
0 users

See Also:
Fixed In Version: Fedora 9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-03 05:55:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Do not fail when SELinux is not available (2.96 KB, patch)
2007-09-26 09:17 EDT, Jan "Yenya" Kasprzak
no flags Details | Diff
Updated patch (1.13 KB, patch)
2007-09-26 09:22 EDT, Jan "Yenya" Kasprzak
no flags Details | Diff
Correct patch (732 bytes, patch)
2007-09-26 10:31 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Jan "Yenya" Kasprzak 2007-09-26 09:17:09 EDT
Description of problem:
pam_namespace does not work when SELinux is not available.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Boot your kernel with selinux=0 (or use a vanilla kernel w/o SELinux configured)
2. echo "/tmp /tmp-inst user root" >> /etc/security/namespace.conf
3. echo "session required pam_namespace.so debug" >> /etc/pam.d/su
4. mkdir /tmp-inst; chmod 000 /tmp-inst
5. su <some existing login name>
Actual results:
Su fails in session initialization with the following message in /var/log/secure:
Sep 26 14:48:19 calypso su: pam_namespace(su-l:session): Error getting poly dir
context, Operation not supported

Expected results:
When no SELinux features (such as "context" or "level" method) are requested in
namespace.conf, pam_namespace should not fail.

Additional info:
I will attach a patch to fix this problem. I am also posting it to pam-devel
list for further discussion.
Comment 1 Jan "Yenya" Kasprzak 2007-09-26 09:17:09 EDT
Created attachment 207051 [details]
Do not fail when SELinux is not available
Comment 2 Jan "Yenya" Kasprzak 2007-09-26 09:22:45 EDT
Created attachment 207091 [details]
Updated patch

Oops, the patch file had the differences included twice. Fixed patch attached.
Comment 3 Tomas Mraz 2007-09-26 10:31:21 EDT
Created attachment 207161 [details]
Correct patch

We need the orig context set even for USER polyinstatiation when SELinux is
enabled. So the original patch is not correct.
Comment 4 Jan "Yenya" Kasprzak 2007-09-26 11:51:58 EDT
Works for me (and it is simpler than my version), thanks!
Comment 5 Bug Zapper 2008-05-13 23:17:06 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:

Note You need to log in before you can comment on or make changes to this bug.