Bug 1174278
Summary: | ecryptfs doesn't automount Private at login since upgrade to FC21 beta | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Miroslav Grepl <mgrepl> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | d.fedora, dominick.grift, dwalsh, esandeen, extras-qa, lvrabec, mail, mgrepl, mhlavink, mnl, plautrba, prd-fedora, redhat-bugzilla, sixpack13, swami, timok, tore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-105.fc21 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1165578 | Environment: | |
Last Closed: | 2015-01-30 23:54:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1165578 | ||
Bug Blocks: |
Description
Miroslav Grepl
2014-12-15 14:42:44 UTC
(In reply to timok from comment #37) > I just ran 'ls -Z /usr/sbin/mount.ecryptfs_private' on my system (F21 after > fedup from F20, ecryptfs_private worked on F20, does not on F21) and the > output is different from Kevin Just to note that my install was a fresh F20 install on a new laptop made approx. 2 months ago, in case that's a helpful data point. commit cf4b4f746f42e7c9ed8e6c3cc1d0c9ddbe6aaf82 Author: Dan Walsh <dwalsh> Date: Tue Dec 23 14:45:22 2014 -0500 Allow userdomains to use mount commands as entrypoints Finally got a chance to remove all my local policies and try selinux-policy-3.13.1-103. Works fine. None of the policies I made with audit2allow are required anymore. Thank you! Doesn't work for me with selinux-policy-3.13.1-103. Oops. Must have dont my test wrong because after rebooting, ecryptfs failed to mount my home. Had to reinstall policies I removed thinking it was fixed. Still does not work here with selinux-policy-3.13.1-103.fc21.noarch selinux-policy-targeted-3.13.1-103.fc21.noarch (In reply to Paul DeStefano from comment #5) > Oops. Must have dont my test wrong because after rebooting, ecryptfs failed > to mount my home. Had to reinstall policies I removed thinking it was fixed. Could you please send me your policies for a workaround? Using audit2allow I could make the mount work for ssh, but the unmount doesn't work (doesn't produce anything in the log). I don't run SSHD on this box, so I would know about that vector, only X11 and console. I'd be intersted in seeing your policy for that. These are the two policies I have installed now: module myPol.login 1.0; require { type unconfined_t; type mount_ecryptfs_exec_t; class file entrypoint; } #============= unconfined_t ============== allow unconfined_t mount_ecryptfs_exec_t:file entrypoint; module myPol.systemd-logind 1.0; require { type systemd_logind_t; type mount_ecryptfs_tmpfs_t; class file getattr; } #============= systemd_logind_t ============== allow systemd_logind_t mount_ecryptfs_tmpfs_t:file getattr; selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21 The good news is that mounting works (tried for both ssh and gnome). The bad thing is that unmounting does not work. I don't know if this should go to a new bug (since the title mentions only mounting, the umounting bug having been "shadowed" up to now). Unmounting works when executing /sbin/umount.ecryptfs_private from the command line while logged on. It fails when the same command is executing by pam_ecryptfs.so on logout. I have modified pam_ecrypts.so to redirect umount.ecryptfs_private's error messages to syslog. I get: fopen: Permission denied Cannot chdir into mountpoint. As everything works when I disable selinux, I suppose that pam_ecryptfs.so runs with a different security context than the user's login shell, so still some rules missing here... (In reply to Michael Lipp from comment #11) > The bad thing is that unmounting does not work. I don't know if this should > go to a new bug (since the title mentions only mounting, the umounting bug > having been "shadowed" up to now). I withdraw that. Now it works (both mounting and unmounting), not sure what happened before... Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. The update, in combination with the fix for bug #1165578 has fixed the issue for me. Thanks. *** Bug 1165578 has been marked as a duplicate of this bug. *** |