SELinux not allowing me to mount sshfs with autofs.

[Pimpntel]

I have installed Fuse and sshfs packages on my Redhat 5.1 32bit server, but am unable to automatically mount my sshfs filesystem when I have selinux enabled. There are absolutely no error logs in /var/log/messages and nothing eye catching in /var/log/audit.log
When the problem 1st started I used audit2allow to query /var/log/messages and create a .te file which I then loaded into the kernel.
Below is the .te file I used.

My question is .. How do I troubleshoot an issue where I am not getting a deny in /var/log/messages when this is clearly an selinux denial since my testing worked fine with "setenforce 0".

Below is my .te file which audit2allow created for me. Is audit2allow a good tool to use?


ls -Z shows the following results below on the directory which autofs created for me.

r-xr-xr-x root root system_u:object_r:autofs_t:s0 remote_dir

module fusesshfs 1.0;

require {
type urandom_device_t;
type random_device_t;
type mount_t;
type shell_exec_t;
class file execute;
class fifo_file { read write getattr };
class chr_file read;
}

#============= mount_t ==============
allow mount_t random_device_t:chr_file read;
allow mount_t self:fifo_file { read write getattr };
allow mount_t shell_exec_t:file execute;
allow mount_t urandom_device_t:chr_file read;



***
I have gotten further with this issue. I will post my results tonight.

[Pimpntel]

Ok, I have added another allow mount_t rule and a few more automount_t rules which suddenly showed up in my messages file. I can get the partition to mount with autofs, but now when I restart autofs it will not remount and again...no blocked av's in my logs. I will continue to monitor this.
I have been directed to use the tool apol and look for neverallow access vectors that are not auditing to see if they are related to this issue. Any suggestions guys? Anything at all?

Below is my Type Enforcement

module fusesshfs 1.0;

require {
type urandom_device_t;
type random_device_t;
type mount_t;
type shell_exec_t;
class file execute;
type etc_runtime_t;
class file { read getattr execute append relabelfrom relabelto };
class fifo_file { read write getattr };
type user_home_t;
class chr_file read;
class process signal;
class dir { read getattr };
type fusefs_t;
type automount_t;
class dir rmdir;
}

#============= mount_t ==============
allow mount_t random_device_t:chr_file read;
allow mount_t self:fifo_file { read write getattr };
allow mount_t shell_exec_t:file { read execute };
allow mount_t urandom_device_t:chr_file read;
allow mount_t random_device_t:chr_file read;
allow mount_t user_home_t:file { read getattr };
allow mount_t etc_runtime_t:file { relabelfrom relabelto };
allow mount_t selfrocess signal;
allow mount_t fusefs_t:dir getattr;
#============= automount_t ==============
allow automount_t fusefs_t:dir rmdir;

/etc/auto.master
/etc/auto.sshfs
remote_60_tmp -fstype=fuse,rw,nodev,nonempty,noatime,allow_other, max_read=65536 :sshfs\#root@192.168.101.60\:/tmp
/mnt /etc/auto.sshfs uid=1007,gid=1007, --timeout=1000000000000000, --ghost


ls -Z for remote mount drwxrwxrwt root root system_u:object_r:tmp_t:s0 tmp