306901 – pam_namespace does not work when SELinux is not available

Bug 306901 - pam_namespace does not work when SELinux is not available

Summary: pam_namespace does not work when SELinux is not available

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-26 13:17 UTC by Jan "Yenya" Kasprzak
Modified:	2008-06-03 09:55 UTC (History)
CC List:	0 users
Fixed In Version:	Fedora 9
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-03 09:55:04 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Do not fail when SELinux is not available (2.96 KB, patch) 2007-09-26 13:17 UTC, Jan "Yenya" Kasprzak	no flags	Details \| Diff
Updated patch (1.13 KB, patch) 2007-09-26 13:22 UTC, Jan "Yenya" Kasprzak	no flags	Details \| Diff
Correct patch (732 bytes, patch) 2007-09-26 14:31 UTC, Tomas Mraz	no flags	Details \| Diff
Show Obsolete (2) View All

Description Jan "Yenya" Kasprzak 2007-09-26 13:17:09 UTC

Description of problem:
pam_namespace does not work when SELinux is not available.

Version-Release number of selected component (if applicable):
pam-0.99.7.1-5.1.fc7

How reproducible:
100%

Steps to Reproduce:
1. Boot your kernel with selinux=0 (or use a vanilla kernel w/o SELinux configured)
2. echo "/tmp /tmp-inst user root" >> /etc/security/namespace.conf
3. echo "session required pam_namespace.so debug" >> /etc/pam.d/su
4. mkdir /tmp-inst; chmod 000 /tmp-inst
5. su <some existing login name>
  
Actual results:
Su fails in session initialization with the following message in /var/log/secure:
Sep 26 14:48:19 calypso su: pam_namespace(su-l:session): Error getting poly dir
context, Operation not supported

Expected results:
When no SELinux features (such as "context" or "level" method) are requested in
namespace.conf, pam_namespace should not fail.

Additional info:
I will attach a patch to fix this problem. I am also posting it to pam-devel
list for further discussion.

Comment 1 Jan "Yenya" Kasprzak 2007-09-26 13:17:09 UTC

Created attachment 207051 [details]
Do not fail when SELinux is not available

Comment 2 Jan "Yenya" Kasprzak 2007-09-26 13:22:45 UTC

Created attachment 207091 [details]
Updated patch

Oops, the patch file had the differences included twice. Fixed patch attached.

Comment 3 Tomas Mraz 2007-09-26 14:31:21 UTC

Created attachment 207161 [details]
Correct patch

We need the orig context set even for USER polyinstatiation when SELinux is
enabled. So the original patch is not correct.

Comment 4 Jan "Yenya" Kasprzak 2007-09-26 15:51:58 UTC

Works for me (and it is simpler than my version), thanks!

Comment 5 Bug Zapper 2008-05-14 03:17:06 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.