Pam_mount and SELinux

Daniel J Walsh dwalsh at redhat.com
Tue Apr 13 02:22:04 UTC 2004 

W. Michael Petullo wrote:

>As an exercise to help me learn the fundamentals of SELinux policies I
>am trying to get pam_mount to work one an enforcing SELinux system.
>Pam_mount is a module that allows password-protected volumes to be
>mounted when a user logs in using the users normal system password.
>
>Pam_mount requires several special capabilities and I have modified my
>su_macros.te to give them to the su command (its a start).
>
>1.  Pam_mount needs be able to work in /var/run/pam_mount:
>allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
>allow $1_su_t var_run_t:file { create getattr setattr read write lock unlink };
>  
>
Look at the macros, You really want to create a transition rule that 
tells the kernel to create
files under a specific context in the /var/run directory.  So a rule like

var_run_domain($1_su) will create a $1_su_var_run_t context.

>2.  Pam_mount needs to be able to read its configuration file:
>allow $1_su_t etc_runtime_t:file { getattr read };
>allow $1_su_t user_home_t:dir { getattr read };
>
>3.  Pam_mount needs to be able to execute some commands in /sbin:
>allow $1_su_t sbin_t:file { read execute };
>
>  
>
What files is it execing.  A better macro for execute privs is
can_exec($1_su_t, sbin_t)

>4.  Pam_mount needs to be able to execute mount:
>allow $1_su_t mount_exec_t:file { read execute };
>allow $1_su_t $1_su_t:capability { fsetid };
>domain_auto_trans($1_su_t, mount_exec_t, mount_t)
>
>  
>
domain_auto_trans will provide the first rule.

>One problem I am having right now is that when pam_mount tries to execute
>mount it fails with a "permission denied" error.  But I get no related
>AVC log from SELinux.  If I disable SELinux's enforcing then I get no
>error and everything works fine.
>
>  
>
What is the mount point?  Is there a mounton rule for it?

>Other than that, I would like to hear any comments about the additional
>requirements pam_mount has.  I am giving more capabilities to su and
>therefore increasing risk.  Am I doing so in the right way?  Does anyone
>have a better model to propose to accomplish this?
>
>  
>

More information about the fedora-selinux-list mailing list