pam_mount configured. When logging in via ssh, the mount is fine: Aug 2 23:01:43 chorlton kernel: EXT4-fs (dm-8): mounted filesystem with ordered data mode Aug 2 23:01:45 chorlton kernel: EXT4-fs (dm-9): mounted filesystem with ordered data mode But on logout (and unmount): Aug 2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:64): umount messages: Aug 2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:68): HXproc_run_async: umount.crypt: Permission denied Aug 2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:705): unmount of /dev/chorlton_vg0/chorlton_lv_common_cryptmount failed Aug 2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:64): umount messages: Aug 2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:68): HXproc_run_async: umount.crypt: Permission denied Aug 2 23:02:41 chorlton sshd[12371]: pam_mount(mount.c:705): unmount of /dev/chorlton_vg0/chorlton_lv_krp_cryptmount failed Aug 2 23:02:43 chorlton setroubleshoot: SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt. For complete SELinux messages. run sealert -l 30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d Aug 2 23:02:43 chorlton setroubleshoot: SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt. For complete SELinux messages. run sealert -l 30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d # sealert -l 30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d Summary: SELinux is preventing /usr/sbin/sshd "execute" access on /sbin/mount.crypt. Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:lvm_exec_t:s0 Target Objects /sbin/mount.crypt [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host chorlton Source RPM Packages openssh-server-5.4p1-3.fc13 Target RPM Packages pam_mount-2.4-2.fc13 Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name chorlton Platform Linux chorlton 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 57 First Seen Mon Aug 2 21:37:42 2010 Last Seen Mon Aug 2 23:02:41 2010 Local ID 30a7cc21-ba9c-4e0a-b1ce-95fd8e6d795d Line Numbers Raw Audit Messages node=chorlton type=AVC msg=audit(1280786561.4:34092): avc: denied { execute } for pid=12479 comm="sshd" name="mount.crypt" dev=dm-0 ino=524435 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file node=chorlton type=SYSCALL msg=audit(1280786561.4:34092): arch=c000003e syscall=59 success=no exit=-13 a0=7fff90feb227 a1=7f631f467ab0 a2=7f631f456ea0 a3=7f631bb54240 items=0 ppid=12371 pid=12479 auid=1976 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=30 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) /etc/pam.d/sshd : #%PAM-1.0 auth required pam_sepermit.so auth optional pam_mount.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_mount.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Is pam_mount executing mount.crypt directly? If should be executing umount which would cause the proper transitions to happen.
(In reply to comment #1) > Is pam_mount executing mount.crypt directly? If should be executing umount > which would cause the proper transitions to happen. Yes, it is. Kevin, you can probably work around this until I created an update with adding this to your /etc/security/pam_mount.conf.xml file: <cryptumount>umount %(MNTPT)</cryptumount> Please report back, whether this work around helps.
(In reply to comment #2) > Kevin, you can probably work around this until I created an update with adding > this to your /etc/security/pam_mount.conf.xml file: > <cryptumount>umount %(MNTPT)</cryptumount> Yes, adding that config option work around prevents the selinux trigger. Many thanks.
pam_mount-2.5-1.fc13,libHX-3.5-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc13,libHX-3.5-1.fc13
pam_mount-2.5-1.fc12,libHX-3.5-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc12,libHX-3.5-1.fc12
pam_mount-2.5-1.fc14,libHX-3.5-1.fc14 has been submitted as an update for Fedora 14. http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.5-1.fc14
pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pam_mount libHX'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.6-1.fc14
pam_mount-2.5-1.fc12, libHX-3.6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
pam_mount-2.5-1.fc13, libHX-3.6-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.