SElinux denies pam_mount to mount my home directory on login. I tried both kdm and console login (/usr/bin/login?). $ ausearch -m AVC -ts today ---- time->Tue Nov 25 11:01:38 2014 type=PROCTITLE msg=audit(1416909698.047:1076): proctitle="-:0" type=SYSCALL msg=audit(1416909698.047:1076): arch=c000003e syscall=4 success=yes exit=0 a0=7f1d00f97749 a1=7fff83d463b0 a2=7fff83d463b0 a3=0 items=0 ppid=951 pid=1523 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1416909698.047:1076): avc: denied { getattr } for pid=1523 comm="kdm" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1 ---- time->Tue Nov 25 11:01:38 2014 type=PROCTITLE msg=audit(1416909698.049:1077): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264 type=SYSCALL msg=audit(1416909698.049:1077): arch=c000003e syscall=59 success=yes exit=0 a0=7fff83d464bc a1=7f1d0726c460 a2=7f1d07266750 a3=7f1d049522c0 items=0 ppid=1523 pid=2940 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1416909698.049:1077): avc: denied { entrypoint } for pid=2940 comm="kdm" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 ---- time->Tue Nov 25 11:52:53 2014 type=PROCTITLE msg=audit(1416912773.716:1517): proctitle=2F62696E2F6C6F67696E002D2D002020202020202020 type=SYSCALL msg=audit(1416912773.716:1517): arch=c000003e syscall=4 success=yes exit=0 a0=7f7ab43c9749 a1=7fffb8a41cd0 a2=7fffb8a41cd0 a3=0 items=0 ppid=1 pid=4784 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=3 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1416912773.716:1517): avc: denied { getattr } for pid=4784 comm="login" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1 ---- time->Tue Nov 25 11:52:53 2014 type=PROCTITLE msg=audit(1416912773.717:1518): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264 type=SYSCALL msg=audit(1416912773.717:1518): arch=c000003e syscall=59 success=yes exit=0 a0=7fffb8a41ddc a1=14f5fd0 a2=14f0560 a3=7f7ab5637310 items=0 ppid=4784 pid=4802 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1416912773.717:1518): avc: denied { entrypoint } for pid=4802 comm="login" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 ---- time->Tue Nov 25 11:53:47 2014 type=PROCTITLE msg=audit(1416912827.262:1536): proctitle=2F62696E2F6C6F67696E002D2D002020202020202020 type=SYSCALL msg=audit(1416912827.262:1536): arch=c000003e syscall=4 success=yes exit=0 a0=7f1c26633749 a1=7fff8ffbcfc0 a2=7fff8ffbcfc0 a3=0 items=0 ppid=1 pid=5017 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=4 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1416912827.262:1536): avc: denied { getattr } for pid=5017 comm="login" path="/run/mount/utab" dev="tmpfs" ino=12358 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1 ---- time->Tue Nov 25 11:53:47 2014 type=PROCTITLE msg=audit(1416912827.262:1537): proctitle=6D6F756E74002D746175746F002F6465762F7373642F6A73616672616E65002F686F6D652F6A73616672616E65002D6F63727970746F5F6E616D653D686F6D655F636C6561722C646973636172642C6E6F64697363617264 type=SYSCALL msg=audit(1416912827.262:1537): arch=c000003e syscall=59 success=yes exit=0 a0=7fff8ffbd0cc a1=aa4fd0 a2=a9f560 a3=7f1c278a1310 items=0 ppid=5017 pid=5033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="mount" exe="/usr/bin/mount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1416912827.262:1537): avc: denied { entrypoint } for pid=5033 comm="login" path="/usr/bin/mount" dev="dm-1" ino=397318 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 I updated my Fedora from 20 to 21 and relabeled all files. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-92.fc21.noarch. Additional info: It's somewhat related to following bugs: #998129 - here the reporter on F20 sees some errors, but his home is mounted. My home is not mounted. #1009668 - here the denied program runs as user_t / staff_t. My kdm runs as xdm_t and login runs as local_login_t. Somewhere in the process these contexts are lost and unconfined_t tries to exec /usr/bin/mount.
a8041e60fdc0a38ae58991fc707ae9af8cdb7524 fixes this in git.
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.