Bug 426785 - pam_mount cannot mount encrypted volumes with SELinux enabled
Summary: pam_mount cannot mount encrypted volumes with SELinux enabled
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_mount
Version: 8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Till Maas
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-26 11:04 UTC by Carsten Clasohm
Modified: 2008-08-02 23:40 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-21 18:43:58 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
avc denied messages (6.69 KB, text/plain)
2007-12-26 11:04 UTC, Carsten Clasohm 		no flags Details
SELinux module generated with audit2allow (966 bytes, text/plain)
2007-12-26 11:05 UTC, Carsten Clasohm 		no flags Details
View All

Description Carsten Clasohm 2007-12-26 11:04:17 UTC 
Description of problem:

If SELinux is in enforcing mode, pam_mount cannot mount encrypted volumes during
login.

Version-Release number of selected component (if applicable):

pam_mount-0.18-2.fc8
selinux-policy-targeted-3.0.8-69.fc8

How reproducible:

always

Steps to Reproduce:
1. Install pam_mount, set up encrypted volumes with cryptsetup luksFormat using
joe's login password, and add something like this in /etc/security/pam_mount.conf:

volume joe crypt - /dev/vg1/home-joe /home/joe noatime - -
volume joe crypt - /dev/vg1/pgsql-data /var/lib/pgsql/data noatime - -

2. Log in as user joe
3. Neither the home directory nor /var/lib/pgsql/data are mounted
  
Actual results:

/var/log/messages contains entries about SELinux denying various mount operations.

Expected results:

pam_mount should work with the targeted SELinux policy.

Additional info:

Attached are the AVC messages, and a SELinux module generated with audit2allow,
with which pam_mount works.
Comment 1 Carsten Clasohm 2007-12-26 11:04:18 UTC 
Created attachment 290404 [details]
avc denied messages
Comment 2 Carsten Clasohm 2007-12-26 11:05:09 UTC 
Created attachment 290405 [details]
SELinux module generated with audit2allow
Comment 3 Till Maas 2008-01-19 22:19:32 UTC 
Hey Daniel, can you maybe help here? Pam_mount already contains some selinux
files, should I just append attachment #290405 [details] there or do you like to add the
policy for pam_mount to the big policy?
Comment 4 Daniel Walsh 2008-01-21 18:43:58 UTC 
This should be fixed in

selinux-policy-3.0.8-74.fc8
Note You need to log in before you can comment on or make changes to this bug.