Attached patch solves a problem of local logins while using pam_mount.
In xserver.te GDM already has this permission to
manage /var/run/pam_mount. Therefore GDM logins which use pam_mount to
e.g. decrypt a partition work. But local logins not.
I also had a lot of strange { getattr search } requests of mount. I
dontaudit everyone and the login still works. I'm not sure if we should
add these ones to mount_t:
domain_dontaudit_search_all_domains_state(mount_t)
dontaudit mount_t pam_var_console_t:file write;
dontaudit mount_t self:process ptrace;
dontaudit mount_t proc_net_t:lnk_file read;
Nevertheless with the attached patch local logins via pam_mount work.
I cc'd Dan in the hope that he will add the patch to the upstream policy
of Fedora. Then I don't have to install a local policy for every
installation. Lazy me ;-)
--- /usr/src/refpolicy-20080402/policy/modules/system/locallogin.te 2008-06-23 20:53:58.000000000 +0200
+++ policy/modules/system/locallogin.te 2008-06-23 20:54:32.000000000 +0200
@@ -100,6 +100,7 @@
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
+auth_manage_pam_pid(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
