As an exercise to help me learn the fundamentals of SELinux policies I
am trying to get pam_mount to work one an enforcing SELinux system.
Pam_mount is a module that allows password-protected volumes to be
mounted when a user logs in using the users normal system password.
Pam_mount requires several special capabilities and I have modified my
su_macros.te to give them to the su command (its a start).
1. Pam_mount needs be able to work in /var/run/pam_mount:
allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
allow $1_su_t var_run_t:file { create getattr setattr read write lock unlink };
2. Pam_mount needs to be able to read its configuration file:
allow $1_su_t etc_runtime_t:file { getattr read };
allow $1_su_t user_home_t:dir { getattr read };
3. Pam_mount needs to be able to execute some commands in /sbin:
allow $1_su_t sbin_t:file { read execute };
4. Pam_mount needs to be able to execute mount:
allow $1_su_t mount_exec_t:file { read execute };
allow $1_su_t $1_su_t:capability { fsetid };
domain_auto_trans($1_su_t, mount_exec_t, mount_t)
One problem I am having right now is that when pam_mount tries to execute
mount it fails with a "permission denied" error. But I get no related
AVC log from SELinux. If I disable SELinux's enforcing then I get no
error and everything works fine.
Other than that, I would like to hear any comments about the additional
requirements pam_mount has. I am giving more capabilities to su and
therefore increasing risk. Am I doing so in the right way? Does anyone
have a better model to propose to accomplish this?
--
Mike
:wq
