diff options
| author | Tomas Mraz <tm@t8m.info> | 2007-06-15 09:38:11 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2007-06-15 09:38:11 +0000 |
| commit | b3644707da87d61559f8322771a88d2162a47a4e (patch) | |
| tree | 620084823d93226cdd9ea69cd375f1d7372c67f4 /modules/pam_namespace/namespace.conf | |
| parent | 7b33ec050402db86919da97c720dacaf280681e6 (diff) | |
| download | pam-b3644707da87d61559f8322771a88d2162a47a4e.tar.gz pam-b3644707da87d61559f8322771a88d2162a47a4e.tar.bz2 pam-b3644707da87d61559f8322771a88d2162a47a4e.zip | |
Relevant BUGIDs:
Purpose of commit: bugfix, new feature
Commit summary:
---------------
2007-06-15 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/README.xml: Avoid duplication of
documentation.
* modules/pam_namespace/namespace.conf: More real life example
from MLS support.
* modules/pam_namespace/namespace.conf.5.xml: Likewise plus
properly describe how instance directory names are formed.
* modules/pam_namespace/namespace.init: Preserve euid when
called from setuid apps (su, newrole).
* modules/pam_namespace/pam_namespace.8.xml: Added option
no_unmount_on_close.
* modules/pam_namespace/pam_namespace.c (process_line): Polyinst
methods are now user, level and context. Fix crash on unknown
override user in config file.
(ns_override): Add explicit uid parameter.
(form_context): Skip for user method. Implement level based
polyinstantiation.
(poly_name): Initialize contexts. Add level based polyinst,
remove 'both' metod. Use raw contexts for instance names,
truncate long instance names and add hash.
(ns_setup): Hashing moved to poly_name().
(setup_namespace): Handle correctly override users for
su (when unmnt_remnt is used).
(pam_sm_close_session): Added no_unmount_on_close option.
* modules/pam_namespace/pam_namespace.h: Added
no_unmount_on_close_option, level method, limit on instance
directory name length.
Diffstat (limited to 'modules/pam_namespace/namespace.conf')
| -rw-r--r-- | modules/pam_namespace/namespace.conf | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf index c7305ffe..f973225f 100644 --- a/modules/pam_namespace/namespace.conf +++ b/modules/pam_namespace/namespace.conf @@ -4,12 +4,10 @@ # # Uncommenting the following three lines will polyinstantiate # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will -# be polyinstantiated based on both security context as well as user -# name, whereas home directory will be polyinstantiated based on -# security context only. Polyinstantion will not be performed for -# user root and adm for directories /tmp and /var/tmp, whereas home -# directories will be polyinstantiated for all users. The user name -# and/or context is appended to the instance prefix. +# be polyinstantiated based on the MLS level part of the security context as well as user +# name, Polyinstantion will not be performed for user root and adm for directories +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. +# The user name and context is appended to the instance prefix. # # Note that instance directories do not have to reside inside the # polyinstantiated directory. In the examples below, instances of /tmp @@ -25,6 +23,6 @@ # caution, as it will reduce security and isolation achieved by # polyinstantiation. # -#/tmp /tmp-inst/ both root,adm -#/var/tmp /var/tmp/tmp-inst/ both root,adm -#$HOME $HOME/$USER.inst/inst- context +#/tmp /tmp-inst/ level root,adm +#/var/tmp /var/tmp/tmp-inst/ level root,adm +#$HOME $HOME/$USER.inst/ level |