Bug 373661 - SELinux prevents pam_mount from working correctly
SELinux prevents pam_mount from working correctly
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-09 15:22 EST by Kyle Gonzales
Modified: 2008-01-30 14:07 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:07:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs from when I try to log into the user with encrypted home directory (1.17 KB, application/octet-stream)
2007-11-09 15:37 EST, Kyle Gonzales
no flags Details
More complete AVCs with additional audit messages (1.59 KB, application/octet-stream)
2007-11-09 15:53 EST, Kyle Gonzales
no flags Details

  None (edit)
Description Kyle Gonzales 2007-11-09 15:22:35 EST
Description of problem:
When SELinux is in enforcing mode, pam_mount is not allowed to mount an
encrypted home directory.  It is not allowing /bin/mount to run.  Strangely,
using "su -" to log into the user from root will prompt for the password, then
will correctly mount.

Version-Release number of selected component (if applicable):
Initial packages and policies in F8 final

How reproducible:
Everything time

Steps to Reproduce:
1.Configure encrypted home directory
2.Edit /etc/security/pam_mount.conf
3.Try to login at console or via GDM
  
Actual results:
User logs in, but home directory is not mounted

Expected results:
User logs in, and home directory is mounted and accessed

Additional info:
SELinux messages -
* setroubleshoot: #012  SELinux is preventing login (local_login_t)
"execute_no_trans" to /bin/mount (mount_exec_t).#012
* setroubleshoot: #012  SELinux is preventing mount.crypt (local_login_t)
"execute_no_trans" to /sbin/cryptsetup (lvm_exec_t).#012
Comment 1 Kyle Gonzales 2007-11-09 15:37:49 EST
Created attachment 253391 [details]
AVCs from when I try to log into the user with encrypted home directory
Comment 2 Kyle Gonzales 2007-11-09 15:53:12 EST
Created attachment 253451 [details]
More complete AVCs with additional audit messages
Comment 3 Daniel Walsh 2007-11-10 07:16:00 EST
If you turn on the boolean allow_polyinstantiation, this should work.

I will make mount_domtrans the default in the next version

setsebool -P allow_polyinstantiation=1

Fixed in selinux-policy-3.0.8-51.fc8
Comment 4 Daniel Walsh 2008-01-30 14:07:05 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.