[...] >>1. Pam_mount needs be able to work in /var/run/pam_mount: >>allow $1_su_t var_run_t:dir { getattr add_name remove_name write }; >>allow $1_su_t var_run_t:file { create getattr setattr read write lock >>unlink }; > Look at the macros, You really want to create a transition rule that > tells the kernel to create > files under a specific context in the /var/run directory. So a rule like > var_run_domain($1_su) will create a $1_su_var_run_t context. I think I want to make a pam_mount context of some type. This is because login, gdm, su, etc. will all share the same /var/run/pam_mount. But when I try to do something like "var_run_domain(pam_mount)" I get the following errors on make load: [...] /usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf domains/user.te:47:ERROR 'name conflict for type pam_mount_var_run_t' at token ';' on line 39900: type pam_mount_var_run_t, file_type, sysadmfile, pidfile; #line 47 /usr/bin/checkpolicy: error(s) encountered while parsing configuration [...] Obviously, var_run_domain(pam_mount) is a reach. Could someone explain a little more about how that var_run_domain works? [...] >> I added a mounton rule, but this did not solve my problem. I am >> especially confused by the fact that SELinux is not logging any failures. >> I would expect an "avc: denied" error. This feels like a traditional >> Unix permissions issue but does not occur when SELinux is not enforcing >> its policies. [...] [...] > Solution: > > role $1_r types mount_t; [...] The following does what I need: domain_auto_trans($1_su_t, mount_exec_t, mount_t) role $1_r types mount_t; But out of curiosity, why does the domain_auto_trans statement not imply the role statement? Would you ever have a domain_auto_trans without a role? -- Mike :wq