Pam_mount and SELinux
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 15 01:19:13 UTC 2004
W. Michael Petullo wrote:
>>>I added a mounton rule, but this did not solve my problem. I am
>>>especially confused by the fact that SELinux is not logging any failures.
>>>I would expect an "avc: denied" error. This feels like a traditional
>>>Unix permissions issue but does not occur when SELinux is not enforcing
>>>its policies.
>>>
>>>
>
>
>
>>There are a few things that SELinux will deny but not generate a log
>>message for. is the big one. That's bitten me in the past.
>>
>>In your particular case, if pam_mount is being run before su transitions
>>to the sysadm_r role, then you'll probably get denials from user_r not
>>being authorized for the mount_t domain.
>>
>>Solution:
>>
>>role $1_r types mount_t;
>>
>>
>
>Great! The pam_mount module is now working for me in enforcing mode.
>Once I go through and clean things up I'll share my work.
>
>Why would SELinux not log some denials?
>
>
This is a bug in the kernel that has not been upstreamed yet.
Hopefully it will fixed soon.
This type of think has burnt me several times also.
Dan
More information about the fedora-selinux-list
mailing list