W. Michael Petullo wrote:
This is a bug in the kernel that has not been upstreamed yet. Hopefully it will fixed soon.I added a mounton rule, but this did not solve my problem. I am
especially confused by the fact that SELinux is not logging any failures.
I would expect an "avc: denied" error. This feels like a traditional
Unix permissions issue but does not occur when SELinux is not enforcing
its policies.
There are a few things that SELinux will deny but not generate a log message for. is the big one. That's bitten me in the past.
In your particular case, if pam_mount is being run before su transitions to the sysadm_r role, then you'll probably get denials from user_r not being authorized for the mount_t domain.
Solution:
role $1_r types mount_t;
Great! The pam_mount module is now working for me in enforcing mode. Once I go through and clean things up I'll share my work.
Why would SELinux not log some denials?
This type of think has burnt me several times also.
Dan
