W. Michael Petullo wrote:
>>I added a mounton rule, but this did not solve my problem. I
am
>>especially confused by the fact that SELinux is not logging any failures.
>>I would expect an "avc: denied" error. This feels like a traditional
>>Unix permissions issue but does not occur when SELinux is not enforcing
>>its policies.
>>
>>
>There are a few things that SELinux will deny but not generate a log
>message for. is the big one. That's bitten me in the past.
>
>In your particular case, if pam_mount is being run before su transitions
>to the sysadm_r role, then you'll probably get denials from user_r not
>being authorized for the mount_t domain.
>
>Solution:
>
>role $1_r types mount_t;
>
>
Great! The pam_mount module is now working for me in enforcing mode.
Once I go through and clean things up I'll share my work.
Why would SELinux not log some denials?
This is a bug in the kernel that has not been upstreamed yet.
Hopefully it will fixed soon.
This type of think has burnt me several times also.
Dan