Bug 373661

Summary: SELinux prevents pam_mount from working correctly
Product: [Fedora] Fedora Reporter: Kyle Gonzales <kgonzale>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:07:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVCs from when I try to log into the user with encrypted home directory
none
More complete AVCs with additional audit messages none

Description Kyle Gonzales 2007-11-09 20:22:35 UTC 
Description of problem:
When SELinux is in enforcing mode, pam_mount is not allowed to mount an
encrypted home directory.  It is not allowing /bin/mount to run.  Strangely,
using "su -" to log into the user from root will prompt for the password, then
will correctly mount.

Version-Release number of selected component (if applicable):
Initial packages and policies in F8 final

How reproducible:
Everything time

Steps to Reproduce:
1.Configure encrypted home directory
2.Edit /etc/security/pam_mount.conf
3.Try to login at console or via GDM
  
Actual results:
User logs in, but home directory is not mounted

Expected results:
User logs in, and home directory is mounted and accessed

Additional info:
SELinux messages -
* setroubleshoot: #012  SELinux is preventing login (local_login_t)
"execute_no_trans" to /bin/mount (mount_exec_t).#012
* setroubleshoot: #012  SELinux is preventing mount.crypt (local_login_t)
"execute_no_trans" to /sbin/cryptsetup (lvm_exec_t).#012
Comment 1 Kyle Gonzales 2007-11-09 20:37:49 UTC 
Created attachment 253391 [details]
AVCs from when I try to log into the user with encrypted home directory
Comment 2 Kyle Gonzales 2007-11-09 20:53:12 UTC 
Created attachment 253451 [details]
More complete AVCs with additional audit messages
Comment 3 Daniel Walsh 2007-11-10 12:16:00 UTC 
If you turn on the boolean allow_polyinstantiation, this should work.

I will make mount_domtrans the default in the next version

setsebool -P allow_polyinstantiation=1

Fixed in selinux-policy-3.0.8-51.fc8
Comment 4 Daniel Walsh 2008-01-30 19:07:05 UTC 
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.