Pam_mount and SELinux
Stephen Smalley
sds at epoch.ncsc.mil
Thu Apr 15 11:49:02 UTC 2004
On Wed, 2004-04-14 at 17:50, W. Michael Petullo wrote:
> I added a mounton rule, but this did not solve my problem. I am
> especially confused by the fact that SELinux is not logging any failures.
> I would expect an "avc: denied" error. This feels like a traditional
> Unix permissions issue but does not occur when SELinux is not enforcing
> its policies.
If you are trying to do this from user_r, then it will fail because the
user_r role is not presently authorized for the mount_t domain. The
preferred approach would be to use the mount_domain() macro to define a
separate user_mount_t domain that is less privileged than the full
mount_t domain, and then authorize user_r for it.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list