Pam_mount and SELinux

W. Michael Petullo mike at flyn.org
Thu Apr 15 00:35:46 UTC 2004


>> I added a mounton rule, but this did not solve my problem.  I am
>> especially confused by the fact that SELinux is not logging any failures.
>> I would expect an "avc: denied" error.  This feels like a traditional
>> Unix permissions issue but does not occur when SELinux is not enforcing
>> its policies.
 
> There are a few things that SELinux will deny but not generate a log
> message for.  is the big one.  That's bitten me in the past.
> 
> In your particular case, if pam_mount is being run before su transitions
> to the sysadm_r role, then you'll probably get denials from user_r not
> being authorized for the mount_t domain.
> 
> Solution:
> 
> role $1_r types mount_t;

Great!  The pam_mount module is now working for me in enforcing mode.
Once I go through and clean things up I'll share my work.

Why would SELinux not log some denials?

-- 
Mike

:wq



More information about the fedora-selinux-list mailing list