>> I added a mounton rule, but this did not solve my problem. I am >> especially confused by the fact that SELinux is not logging any failures. >> I would expect an "avc: denied" error. This feels like a traditional >> Unix permissions issue but does not occur when SELinux is not enforcing >> its policies. > There are a few things that SELinux will deny but not generate a log > message for. is the big one. That's bitten me in the past. > > In your particular case, if pam_mount is being run before su transitions > to the sysadm_r role, then you'll probably get denials from user_r not > being authorized for the mount_t domain. > > Solution: > > role $1_r types mount_t; Great! The pam_mount module is now working for me in enforcing mode. Once I go through and clean things up I'll share my work. Why would SELinux not log some denials? -- Mike :wq
