Pam_mount and SELinux

[W. Michael Petullo]

[...]
>>1.  Pam_mount needs be able to work in /var/run/pam_mount:
>>allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
>>allow $1_su_t var_run_t:file { create getattr setattr read write lock
>>unlink };

> Look at the macros, You really want to create a transition rule that
> tells the kernel to create
> files under a specific context in the /var/run directory.  So a rule like
                                                                                
> var_run_domain($1_su) will create a $1_su_var_run_t context.

I think I want to make a pam_mount context of some type.  This is
because login, gdm, su, etc. will all share the same /var/run/pam_mount.
But when I try to do something like "var_run_domain(pam_mount)" I get
the following errors on make load:

[...]
/usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
domains/user.te:47:ERROR 'name conflict for type pam_mount_var_run_t' at token ';' on line 39900:
type pam_mount_var_run_t, file_type, sysadmfile, pidfile;
#line 47
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
[...]

Obviously, var_run_domain(pam_mount) is a reach.  Could someone explain
a little more about how that var_run_domain works?

[...]
>> I added a mounton rule, but this did not solve my problem.  I am
>> especially confused by the fact that SELinux is not logging any failures.
>> I would expect an "avc: denied" error.  This feels like a traditional
>> Unix permissions issue but does not occur when SELinux is not enforcing
>> its policies.
[...]

[...]
> Solution:
>
> role $1_r types mount_t;
[...]

The following does what I need:

domain_auto_trans($1_su_t, mount_exec_t, mount_t)
role $1_r types mount_t;

But out of curiosity, why does the domain_auto_trans statement not imply
the role statement?  Would you ever have a domain_auto_trans without
a role?

-- 
Mike

:wq