Pam_mount and SELinux
W. Michael Petullo
mike at flyn.org
Fri Apr 16 22:27:45 UTC 2004
[...]
>>1. Pam_mount needs be able to work in /var/run/pam_mount:
>>allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
>>allow $1_su_t var_run_t:file { create getattr setattr read write lock
>>unlink };
> Look at the macros, You really want to create a transition rule that
> tells the kernel to create
> files under a specific context in the /var/run directory. So a rule like
> var_run_domain($1_su) will create a $1_su_var_run_t context.
I think I want to make a pam_mount context of some type. This is
because login, gdm, su, etc. will all share the same /var/run/pam_mount.
But when I try to do something like "var_run_domain(pam_mount)" I get
the following errors on make load:
[...]
/usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/user.te:47:ERROR 'name conflict for type pam_mount_var_run_t' at token ';' on line 39900:
type pam_mount_var_run_t, file_type, sysadmfile, pidfile;
#line 47
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
[...]
Obviously, var_run_domain(pam_mount) is a reach. Could someone explain
a little more about how that var_run_domain works?
[...]
>> I added a mounton rule, but this did not solve my problem. I am
>> especially confused by the fact that SELinux is not logging any failures.
>> I would expect an "avc: denied" error. This feels like a traditional
>> Unix permissions issue but does not occur when SELinux is not enforcing
>> its policies.
[...]
[...]
> Solution:
>
> role $1_r types mount_t;
[...]
The following does what I need:
domain_auto_trans($1_su_t, mount_exec_t, mount_t)
role $1_r types mount_t;
But out of curiosity, why does the domain_auto_trans statement not imply
the role statement? Would you ever have a domain_auto_trans without
a role?
--
Mike
:wq
More information about the fedora-selinux-list
mailing list