Red Hat Bugzilla – Bug 306901
pam_namespace does not work when SELinux is not available
Last modified: 2008-06-03 05:55:04 EDT
Description of problem:
pam_namespace does not work when SELinux is not available.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Boot your kernel with selinux=0 (or use a vanilla kernel w/o SELinux configured)
2. echo "/tmp /tmp-inst user root" >> /etc/security/namespace.conf
3. echo "session required pam_namespace.so debug" >> /etc/pam.d/su
4. mkdir /tmp-inst; chmod 000 /tmp-inst
5. su <some existing login name>
Su fails in session initialization with the following message in /var/log/secure:
Sep 26 14:48:19 calypso su: pam_namespace(su-l:session): Error getting poly dir
context, Operation not supported
When no SELinux features (such as "context" or "level" method) are requested in
namespace.conf, pam_namespace should not fail.
I will attach a patch to fix this problem. I am also posting it to pam-devel
list for further discussion.
Created attachment 207051 [details]
Do not fail when SELinux is not available
Created attachment 207091 [details]
Oops, the patch file had the differences included twice. Fixed patch attached.
Created attachment 207161 [details]
We need the orig context set even for USER polyinstatiation when SELinux is
enabled. So the original patch is not correct.
Works for me (and it is simpler than my version), thanks!
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here: