[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam_mount and SELinux

W. Michael Petullo wrote:

As an exercise to help me learn the fundamentals of SELinux policies I
am trying to get pam_mount to work one an enforcing SELinux system.
Pam_mount is a module that allows password-protected volumes to be
mounted when a user logs in using the users normal system password.

Pam_mount requires several special capabilities and I have modified my
su_macros.te to give them to the su command (its a start).

1. Pam_mount needs be able to work in /var/run/pam_mount:
allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
allow $1_su_t var_run_t:file { create getattr setattr read write lock unlink };

Look at the macros, You really want to create a transition rule that tells the kernel to create
files under a specific context in the /var/run directory. So a rule like

var_run_domain($1_su) will create a $1_su_var_run_t context.

2.  Pam_mount needs to be able to read its configuration file:
allow $1_su_t etc_runtime_t:file { getattr read };
allow $1_su_t user_home_t:dir { getattr read };

3.  Pam_mount needs to be able to execute some commands in /sbin:
allow $1_su_t sbin_t:file { read execute };

What files is it execing.  A better macro for execute privs is
can_exec($1_su_t, sbin_t)

4.  Pam_mount needs to be able to execute mount:
allow $1_su_t mount_exec_t:file { read execute };
allow $1_su_t $1_su_t:capability { fsetid };
domain_auto_trans($1_su_t, mount_exec_t, mount_t)

domain_auto_trans will provide the first rule.

One problem I am having right now is that when pam_mount tries to execute
mount it fails with a "permission denied" error.  But I get no related
AVC log from SELinux.  If I disable SELinux's enforcing then I get no
error and everything works fine.

What is the mount point? Is there a mounton rule for it?

Other than that, I would like to hear any comments about the additional
requirements pam_mount has.  I am giving more capabilities to su and
therefore increasing risk.  Am I doing so in the right way?  Does anyone
have a better model to propose to accomplish this?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]