pam_mount

I try to temporarily create a policy fix for pam_mount and I'm running into some problems.

While using local console login mount_t tries to "getattr" every sock_file in /var/run which I could dontaudit using the following:

dontaudit mount_t pidfile:sock_file getattr;

But there is still another very annoying AVC message which I get for every directory in /proc which is not labeled as proc_t.

type=1400 audit(1214045895.760:29702): avc: denied { getattr } for pid=28153 comm="fuser" path="/proc/1" dev=proc ino=1675 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir

type=1400 audit(1214045895.762:29703): avc: denied { search } for pid=28153 comm="fuser" name="1" dev=proc ino=1675 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir

For the first few tries I dontaudit every occurrence (over a dozen types) but I realized that's something I can't win ;-) So I tried using the following rule:

dontaudit mount_t proc_type:dir { getattr search };

But the AVC is still generated. I hoped that proc_type is an attribute for every file/dir under /proc. Am I wrong? Or why doesn't the dontaudit rule count?

Best regards
Stefan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: Shintaro Fujiwara: "su command not found"
• Previous message: Eamon Walsh: "Re: x_extension use"
• Next in thread: Christopher J. PeBenito: "Re: pam_mount"
• Reply: Christopher J. PeBenito: "Re: pam_mount"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]