Bug 1121283

Summary: SELinux prevents Nautilus from running cryptsetup to mount encrypted volume
Product: [Fedora] Fedora Reporter: Andrew Gunnerson <accounts+fedora>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: accounts+fedora, dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-01 09:48:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Gunnerson 2014-07-18 21:10:30 UTC 
Description of problem:

(I apologize if this doesn't belong under the selinux-policy component)

For some reason, SELinux is preventing Nautilus from executing cryptsetup to unlock an external encrypted volume. When I plug in my (encrypted) external drive and try to mount it, I get the following error:

(Screenshot) https://dl.dropboxusercontent.com/u/486665/Luks/Screenshot%20from%202014-07-18%2016%3A44%3A34.png

(Error Text)
---
Error unlocking /dev/sdc1: Command-line `cryptsetup luksOpen "/dev/sdc1" "luks-7cb3d180-ca8e-439a-8d11-ed536576a13c"' exited with non-zero exit status 1:
---

This is immediately followed by the following SELinux denial:

(Screenshot) https://dl.dropboxusercontent.com/u/486665/Luks/Screenshot%20from%202014-07-18%2016%3A45%3A10.png

(Full denial text) https://dl.dropboxusercontent.com/u/486665/Luks/selinux.txt

If I manually run the cryptsetup command that Nautilus shows, it succeeds without error. After I do that, Nautilus is even able to unmount the volume (I'm assuming it runs "cryptsetup luksClose ...").

(Screenshot) https://dl.dropboxusercontent.com/u/486665/Luks/Screenshot%20from%202014-07-18%2016%3A48%3A18.png

I'm not quite sure why "cryptsetup luksOpen..." fails only when it's run by Nautilus.


Version-Release number of selected component (if applicable):

nautilus-3.13.1-2.fc21.x86_64
gvfs-1.21.3-1.fc21.x86_64
cryptsetup-1.6.5-2.fc21.x86_64
kernel-3.16.0-0.rc5.git1.1.fc21.x86_64
selinux-policy-3.13.1-64.fc21.noarch


Additional info:

Looking at the SELinux error, I'm seeing "system_u:system_r:lvm_t:s0", but my drive does not use LVM, just a single luks-encrypted ext4 partition.
Comment 1 Miroslav Grepl 2014-07-21 09:58:51 UTC 
Could you attach raw AVC msgs?
Comment 2 Andrew Gunnerson 2014-07-21 22:45:44 UTC 
Miroslav: Thanks for the reply! Are looking for the /var/log/audit/audit.log file?

I'll attach that to this bug report. From a quick grep, the first cryptsetup denial starts at line 25549.

---
type=AVC msg=audit(1405716212.399:2264): avc:  denied  { write } for  pid=23091 comm="cryptsetup" scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=0
type=SYSCALL msg=audit(1405716212.399:2264): arch=c000003e syscall=46 success=no exit=-13 a0=9 a1=7fffe7273be0 a2=0 a3=5db items=0 ppid=1508 pid=23091 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/usr/sbin/cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null)
...
Comment 3 Andrew Gunnerson 2014-07-21 22:52:04 UTC 
Sorry, Bugzilla doesn't seem to let me attach the log. Here's a link to it: https://dl.dropboxusercontent.com/u/486665/RHBZ1121283/audit.log
Comment 4 Miroslav Grepl 2014-09-01 09:48:49 UTC 
Is this still an issue? I believe it has been fixed in the kernel.