Bug 426785 - pam_mount cannot mount encrypted volumes with SELinux enabled
pam_mount cannot mount encrypted volumes with SELinux enabled
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: pam_mount (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Till Maas
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-26 06:04 EST by Carsten Clasohm
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-21 13:43:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avc denied messages (6.69 KB, text/plain)
2007-12-26 06:04 EST, Carsten Clasohm
no flags Details
SELinux module generated with audit2allow (966 bytes, text/plain)
2007-12-26 06:05 EST, Carsten Clasohm
no flags Details

  None (edit)
Description Carsten Clasohm 2007-12-26 06:04:17 EST
Description of problem:

If SELinux is in enforcing mode, pam_mount cannot mount encrypted volumes during
login.

Version-Release number of selected component (if applicable):

pam_mount-0.18-2.fc8
selinux-policy-targeted-3.0.8-69.fc8

How reproducible:

always

Steps to Reproduce:
1. Install pam_mount, set up encrypted volumes with cryptsetup luksFormat using
joe's login password, and add something like this in /etc/security/pam_mount.conf:

volume joe crypt - /dev/vg1/home-joe /home/joe noatime - -
volume joe crypt - /dev/vg1/pgsql-data /var/lib/pgsql/data noatime - -

2. Log in as user joe
3. Neither the home directory nor /var/lib/pgsql/data are mounted
  
Actual results:

/var/log/messages contains entries about SELinux denying various mount operations.

Expected results:

pam_mount should work with the targeted SELinux policy.

Additional info:

Attached are the AVC messages, and a SELinux module generated with audit2allow,
with which pam_mount works.
Comment 1 Carsten Clasohm 2007-12-26 06:04:18 EST
Created attachment 290404 [details]
avc denied messages
Comment 2 Carsten Clasohm 2007-12-26 06:05:09 EST
Created attachment 290405 [details]
SELinux module generated with audit2allow
Comment 3 Till Maas 2008-01-19 17:19:32 EST
Hey Daniel, can you maybe help here? Pam_mount already contains some selinux
files, should I just append attachment #290405 [details] there or do you like to add the
policy for pam_mount to the big policy?
Comment 4 Daniel Walsh 2008-01-21 13:43:58 EST
This should be fixed in

selinux-policy-3.0.8-74.fc8

Note You need to log in before you can comment on or make changes to this bug.