W. Michael Petullo wrote:
Look at the macros, You really want to create a transition rule that tells the kernel to createAs an exercise to help me learn the fundamentals of SELinux policies I am trying to get pam_mount to work one an enforcing SELinux system. Pam_mount is a module that allows password-protected volumes to be mounted when a user logs in using the users normal system password.
Pam_mount requires several special capabilities and I have modified my su_macros.te to give them to the su command (its a start).
1. Pam_mount needs be able to work in /var/run/pam_mount:
allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
allow $1_su_t var_run_t:file { create getattr setattr read write lock unlink };
files under a specific context in the /var/run directory. So a rule like
var_run_domain($1_su) will create a $1_su_var_run_t context.
2. Pam_mount needs to be able to read its configuration file: allow $1_su_t etc_runtime_t:file { getattr read }; allow $1_su_t user_home_t:dir { getattr read };
3. Pam_mount needs to be able to execute some commands in /sbin: allow $1_su_t sbin_t:file { read execute };
What files is it execing. A better macro for execute privs is can_exec($1_su_t, sbin_t)
4. Pam_mount needs to be able to execute mount: allow $1_su_t mount_exec_t:file { read execute }; allow $1_su_t $1_su_t:capability { fsetid }; domain_auto_trans($1_su_t, mount_exec_t, mount_t)
domain_auto_trans will provide the first rule.
One problem I am having right now is that when pam_mount tries to execute mount it fails with a "permission denied" error. But I get no related AVC log from SELinux. If I disable SELinux's enforcing then I get no error and everything works fine.
What is the mount point? Is there a mounton rule for it?
Other than that, I would like to hear any comments about the additional requirements pam_mount has. I am giving more capabilities to su and therefore increasing risk. Am I doing so in the right way? Does anyone have a better model to propose to accomplish this?
