On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
> So polyinstantiation is broken, it used to work at one point. The
> following is the log of what seems to be causing the failure. I'm
> looking into this, but it would be nice to have someone more adept at
> policy wrangling to jump in and save the day.

The current LSPP ks script sets up policy and contexts to support polyinstantiation. I've attached the policy, here's the script fragment. Polyinstantiation parent dirs need to be polyparent_t, and /etc/security/namespace.init needs to be pam_exec_t or something similar.

(Don't use chcon, define persistent file contexts instead to ensure that they don't get overwritten on the next autorelabel. And remember how nice it is that SELinux doesn't do path based security ;-)

-Klaus

ConfigurePolyinstantiation() {

    Title " Configure polyinstantiation"

    if ShallI "Update polyinstantiation (pam_namespace) configuration"; then

        local DIRS=$(
                awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
        )
        Log "Creating base dirs: $DIRS"
        mkdir -m 0 $DIRS

        local D
        for D in $DIRS; do
                semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
                        s/\/$//;
                        s/\([.*?]\)/\\\1/;
                ')
        done
        restorecon $DIRS

        # FIXME: following should be fixed in upstream package?
        semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
        restorecon /etc/security/namespace.init

        Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF

    else
        Log "configuration update declined."
        _FAILURE=1

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/plain attachment: lspp_policy.te