373661 – SELinux prevents pam_mount from working correctly

Bug 373661 - SELinux prevents pam_mount from working correctly

Summary: SELinux prevents pam_mount from working correctly

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	8
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-09 20:22 UTC by Kyle Gonzales
Modified:	2008-01-30 19:07 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-30 19:07:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
AVCs from when I try to log into the user with encrypted home directory (1.17 KB, application/octet-stream) 2007-11-09 20:37 UTC, Kyle Gonzales	no flags	Details
More complete AVCs with additional audit messages (1.59 KB, application/octet-stream) 2007-11-09 20:53 UTC, Kyle Gonzales	no flags	Details
View All

Description Kyle Gonzales 2007-11-09 20:22:35 UTC

Description of problem:
When SELinux is in enforcing mode, pam_mount is not allowed to mount an
encrypted home directory.  It is not allowing /bin/mount to run.  Strangely,
using "su -" to log into the user from root will prompt for the password, then
will correctly mount.

Version-Release number of selected component (if applicable):
Initial packages and policies in F8 final

How reproducible:
Everything time

Steps to Reproduce:
1.Configure encrypted home directory
2.Edit /etc/security/pam_mount.conf
3.Try to login at console or via GDM
  
Actual results:
User logs in, but home directory is not mounted

Expected results:
User logs in, and home directory is mounted and accessed

Additional info:
SELinux messages -
* setroubleshoot: #012  SELinux is preventing login (local_login_t)
"execute_no_trans" to /bin/mount (mount_exec_t).#012
* setroubleshoot: #012  SELinux is preventing mount.crypt (local_login_t)
"execute_no_trans" to /sbin/cryptsetup (lvm_exec_t).#012

Comment 1 Kyle Gonzales 2007-11-09 20:37:49 UTC

Created attachment 253391 [details]
AVCs from when I try to log into the user with encrypted home directory

Comment 2 Kyle Gonzales 2007-11-09 20:53:12 UTC

Created attachment 253451 [details]
More complete AVCs with additional audit messages

Comment 3 Daniel Walsh 2007-11-10 12:16:00 UTC

If you turn on the boolean allow_polyinstantiation, this should work.

I will make mount_domtrans the default in the next version

setsebool -P allow_polyinstantiation=1

Fixed in selinux-policy-3.0.8-51.fc8

Comment 4 Daniel Walsh 2008-01-30 19:07:05 UTC

Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.