Pam_mount and SELinux

[W. Michael Petullo]

As an exercise to help me learn the fundamentals of SELinux policies I
am trying to get pam_mount to work one an enforcing SELinux system.
Pam_mount is a module that allows password-protected volumes to be
mounted when a user logs in using the users normal system password.

Pam_mount requires several special capabilities and I have modified my
su_macros.te to give them to the su command (its a start).

1.  Pam_mount needs be able to work in /var/run/pam_mount:
allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
allow $1_su_t var_run_t:file { create getattr setattr read write lock unlink };

2.  Pam_mount needs to be able to read its configuration file:
allow $1_su_t etc_runtime_t:file { getattr read };
allow $1_su_t user_home_t:dir { getattr read };

3.  Pam_mount needs to be able to execute some commands in /sbin:
allow $1_su_t sbin_t:file { read execute };

4.  Pam_mount needs to be able to execute mount:
allow $1_su_t mount_exec_t:file { read execute };
allow $1_su_t $1_su_t:capability { fsetid };
domain_auto_trans($1_su_t, mount_exec_t, mount_t)

One problem I am having right now is that when pam_mount tries to execute
mount it fails with a "permission denied" error.  But I get no related
AVC log from SELinux.  If I disable SELinux's enforcing then I get no
error and everything works fine.

Other than that, I would like to hear any comments about the additional
requirements pam_mount has.  I am giving more capabilities to su and
therefore increasing risk.  Am I doing so in the right way?  Does anyone
have a better model to propose to accomplish this?

-- 
Mike

:wq