Bug 487088

Summary: add ecryptfs pam module to config file in %post
Product: [Fedora] Fedora Reporter: Sachin Garg <ascii79>
Component: ecryptfs-utilsAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: a1052087, esandeen, fdaluisio, inglessi, karsten, liling, mgrepl, mhlavink, pbonzini, yajo.sk8
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ecryptfs-utils-93-2.fc17 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-07 11:49:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 486152    
Bug Blocks: 479319    

Description Sachin Garg 2009-02-24 03:03:45 UTC
Description of problem:

private directory doesn't mount automatically after the login. Even the ecrypt-private-setup was sucessful

Version-Release number of selected component (if applicable):

ecryptfs-utils-70-1.fc11.i386

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:



Expected results:

Private directory should mount automatically after login

Additional info:

Comment 1 Michal Hlavinka 2009-02-24 08:04:38 UTC
after ecryptfs-setup-private you will *not* get auto-mounted ~/Private dir. e-s-private doesn't claim it will be mounted after login.
Extract from ecryptfs-setup-private manpage:

"The  system  administrator  can  add  the pam_ecryptfs.so module to the PAM stack which will automatically use the login passphrase to unwrap the mount passphrase, add the passphrase to the user’s kernel keyring, and automatically perform the mount. See pam_ecryptfs(8)."

(pam_ecryptfs documentation is missing/obsolete, see #479319 and #479727 )

You can use ecryptfs-mount-private (and ecryptfs-umount-private) or you can modify your pam configuration to do this (see #486152 and #479727)

Comment 2 Sachin Garg 2009-02-25 03:05:01 UTC
thnx it explain everything.

Comment 3 Bug Zapper 2009-06-09 11:36:24 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Paolo Bonzini 2010-12-01 13:41:09 UTC
Closing, not really a bug.

Comment 5 Michal Hlavinka 2010-12-01 14:46:41 UTC
please do not close bugs with blocks/depeneds on

Comment 6 Paolo Bonzini 2010-12-02 00:21:01 UTC
Is there anything to fix in ecryptfs-utils, besides the documentation?  This seems more of a dup of 486152, and fixing that bug does not involve touching ecryptfs-utils at all.

Comment 7 Michal Hlavinka 2010-12-09 09:24:13 UTC
(In reply to comment #6)
> Is there anything to fix in ecryptfs-utils, besides the documentation? 

yes. for example see summary of this bug

> This
> seems more of a dup of 486152, and fixing that bug does not involve touching
> ecryptfs-utils at all.

fixing that bug won't fix this one (see summary)

Comment 8 Paolo Bonzini 2010-12-09 10:29:15 UTC
With that patch in, the "add ecryptfs pam module" would become "add USEECRYPTFS=yes to /etc/sysconfig/authconfig".

I don't see for example fprintd adding USEFPRINTD=yes, or sssd adding USESSSDAUTH=yes, so I believe this is NOTABUG or WONTFIX; the right way to do it is to make authconfig do that if the user so desires.

Comment 9 Michal Hlavinka 2010-12-09 11:34:08 UTC
modification of /etc/sysconfig/authconfig is not the only way how to turn it on/off

yum remove fprintd-pam
cat /etc/pam.d/system-auth

...
auth   sufficient fprintd.so
...


is this correct behaviour? I don't think so, it should have (at least) called 

authconfig --disablefingerprint

in postun.

Comment 11 Yajo 2011-07-05 11:36:53 UTC
(In reply to comment #8)
> With that patch in, the "add ecryptfs pam module" would become "add
> USEECRYPTFS=yes to /etc/sysconfig/authconfig".

I followed the instructions from http://fedoraproject.org/wiki/Features/EcryptfsAuthConfig which include adding that line you say, but ~/Private is not automounting.

I'm running a fresh Fedora 15 install.

I can provide more info if you need it.

Thanks.

Comment 12 Paolo Bonzini 2011-07-05 11:54:37 UTC
Please check if you're hitting bug 706911.

Comment 13 Yajo 2011-07-05 20:22:01 UTC
(In reply to comment #12)
> Please check if you're hitting bug 706911.

Thanks for the quick answer.

I saw that bug before, but I overlooked it because the version I have installed is ecryptfs-utils-87-3.fc15, which is supposed to close that bug.

Anyway I checked by replacing /etc/mstab with a copy of /proc/mounts and rebooting, but the problem persists.

Comment 14 Michal Hlavinka 2011-07-07 08:17:38 UTC
I guess you have ~/Private mount set up correctly, so ecryptfs-mount-private does work for you, right?

Did you enable ecryptfs pam module? You need to run this as root:

authconfig --enableecryptfs --updateall

do not change /etc/sysconfig/authconfig it's just one required step, it's just "pre-config" for authconfig which modifies pam config files. Just enable ecryptfs using autconfig command above and it should work fine.

Comment 15 Yajo 2011-07-07 13:09:14 UTC
(In reply to comment #14)
> I guess you have ~/Private mount set up correctly, so ecryptfs-mount-private
> does work for you, right?

Right:

$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring

(The login passphrase is the same as my account's password)

> Did you enable ecryptfs pam module? You need to run this as root:
> 
> authconfig --enableecryptfs --updateall
> 
> do not change /etc/sysconfig/authconfig it's just one required step, it's just
> "pre-config" for authconfig which modifies pam config files. Just enable
> ecryptfs using autconfig command above and it should work fine.

$ sudo authconfig --enableecryptfs --updateall
Nota: Reenviando petición a 'systemctl disable sssd.service'.


Then I rebooted and problem persists.

Maybe this will help:

$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Comment 16 Michal Hlavinka 2011-07-08 08:02:40 UTC
What desktop are you using? KDE, Gnome (default), XFCE,...? What login manager? GDM (default), KDM,... ? Do you test it by logging in your desktop or in terminal or using ssh or...?

What is output of (run as affected user, not root):

ls -l ~/.ecryptfs

What is output of (run as affected user after log in, *before* any ecryptfs commands - like ecryptfs-mount-private ):

keyctl list @us

What is content of /etc/pam.d/postlogin on your system?

Did you make any modifications in pam config files? (in /etc/pam.d directory)

Comment 17 Yajo 2011-07-08 13:02:12 UTC
(In reply to comment #16)
> What desktop are you using? KDE, Gnome (default), XFCE,...? What login manager?
> GDM (default), KDM,... ? Do you test it by logging in your desktop or in
> terminal or using ssh or...?

Gnome 3 and GDM. All default.
 

> What is output of (run as affected user, not root):
> 
> ls -l ~/.ecryptfs

$ ls -l ~/.ecryptfs
total 20
-rw-------. 1 jairot jairot  0 jul  4 22:57 auto-mount
-rw-------. 1 jairot jairot  0 jul  4 22:57 auto-umount
-rw-------. 1 jairot jairot 21 jul  4 22:57 Private.mnt
-rw-------. 1 jairot jairot 34 jul  4 22:57 Private.sig
-rw-------. 1 jairot jairot 34 jul  4 19:17 Private.sig.20110704225700
-r--------. 1 jairot jairot 48 jul  4 22:57 wrapped-passphrase
-r--------. 1 jairot jairot 48 jul  4 19:17 wrapped-passphrase.20110704225700


> What is output of (run as affected user after log in, *before* any ecryptfs
> commands - like ecryptfs-mount-private ):
> 
> keyctl list @us

$ keyctl list @us
1 key in keyring:
889759792: --alswrv   500    -1 keyring: _uid.500

The output is the same after ecryptfs-mount-private

 
> What is content of /etc/pam.d/postlogin on your system?

$ cat /etc/pam.d/postlogin
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        optional      pam_ecryptfs.so unwrap

password    optional      pam_ecryptfs.so unwrap

session     optional      pam_ecryptfs.so unwrap


> Did you make any modifications in pam config files? (in /etc/pam.d directory)

Not.

Comment 18 Paolo Bonzini 2011-07-08 13:09:37 UTC
Also please give the output of

grep postlogin -r --exclude '*.rpm*' /etc/pam.d

It should be something like:

/etc/pam.d/login:auth       substack     postlogin
/etc/pam.d/login:session    substack     postlogin
/etc/pam.d/gdm:auth       include     postlogin
/etc/pam.d/gdm:session    include     postlogin
/etc/pam.d/gdm-password:auth        include       postlogin
/etc/pam.d/gdm-password:session     include       postlogin
/etc/pam.d/passwd:password   substack	postlogin
/etc/pam.d/remote:auth       substack     postlogin
/etc/pam.d/remote:session    substack     postlogin
/etc/pam.d/gdm-autologin:auth       include     postlogin
/etc/pam.d/gdm-autologin:session    include     postlogin
/etc/pam.d/gdm-fingerprint:auth        include       postlogin
/etc/pam.d/gdm-fingerprint:session     include       postlogin

Comment 19 Michal Hlavinka 2011-07-08 17:19:56 UTC
(In reply to comment #18)
> Also please give the output of
> 
> grep postlogin -r --exclude '*.rpm*' /etc/pam.d

You can check it, but it's not important. If keyctl output after login is not empty, pam module was executed. Chance that auth is executed, but session is not executed is really really small.

> -r--------. 1 jairot jairot 48 jul  4 22:57 wrapped-passphrase
> -r--------. 1 jairot jairot 48 jul  4 19:17 wrapped-passphrase.20110704225700

you have 2 wrapped-passphrase files, did you changed your passphrase recently? Or used "ecryptfs-setup-private --force" or did something else? It's not usual to have more versions.

Anyway, everything looks ok, so we need another information. Log in and then get ecryptfs messages:

tail -n 200 /var/log/messages | grep -E '(kernel|ecryptfs)'

and

tail -n 50 /var/log/secure


Well, I've almost forgot... SELinux, try if it works with selinux in permissive mode: 
a) add "enforcing=0" as kernel argument in grub, 
OR
b) boot, ctrl-alt-f2, log in as root and execute:
setenforce 0

then selinux will run in permissive mode until next reboot.

Comment 20 Yajo 2011-07-09 11:14:56 UTC
(In reply to comment #18)
> Also please give the output of
> 
> grep postlogin -r --exclude '*.rpm*' /etc/pam.d
> 
> It should be something like:
> 
> /etc/pam.d/login:auth       substack     postlogin
> /etc/pam.d/login:session    substack     postlogin
> /etc/pam.d/gdm:auth       include     postlogin
> /etc/pam.d/gdm:session    include     postlogin
> /etc/pam.d/gdm-password:auth        include       postlogin
> /etc/pam.d/gdm-password:session     include       postlogin
> /etc/pam.d/passwd:password   substack postlogin
> /etc/pam.d/remote:auth       substack     postlogin
> /etc/pam.d/remote:session    substack     postlogin
> /etc/pam.d/gdm-autologin:auth       include     postlogin
> /etc/pam.d/gdm-autologin:session    include     postlogin
> /etc/pam.d/gdm-fingerprint:auth        include       postlogin
> /etc/pam.d/gdm-fingerprint:session     include       postlogin

The output is slightly different from that:

$ grep postlogin -r --exclude '*.rpm*' /etc/pam.d
/etc/pam.d/remote:auth       include      postlogin
/etc/pam.d/remote:session    include      postlogin
/etc/pam.d/gdm:auth       include     postlogin
/etc/pam.d/gdm:session    include     postlogin
/etc/pam.d/login:auth       include      postlogin
/etc/pam.d/login:session    include      postlogin
/etc/pam.d/gdm-password:auth        include       postlogin
/etc/pam.d/gdm-password:session     include       postlogin
/etc/pam.d/gdm-fingerprint:auth        include       postlogin
/etc/pam.d/gdm-fingerprint:session     include       postlogin
/etc/pam.d/passwd:password   substack	postlogin
/etc/pam.d/gdm-autologin:auth       include     postlogin
/etc/pam.d/gdm-autologin:session    include     postlogin


(In reply to comment #19)
> > -r--------. 1 jairot jairot 48 jul  4 22:57 wrapped-passphrase
> > -r--------. 1 jairot jairot 48 jul  4 19:17 wrapped-passphrase.20110704225700
> 
> you have 2 wrapped-passphrase files, did you changed your passphrase recently?
> Or used "ecryptfs-setup-private --force" or did something else? It's not usual
> to have more versions.

Yes. At first I thought it was some misconfiguration, so I tried some of the ecryptfs options, which created those files, but the buggy behavior remains the same.

I decided not to erase them until everything is working fine.


> Anyway, everything looks ok, so we need another information. Log in and then
> get ecryptfs messages:
> 
> tail -n 200 /var/log/messages | grep -E '(kernel|ecryptfs)'
> 
> and
> 
> tail -n 50 /var/log/secure

Commands run after ecryptfs-mount-private:

$ sudo tail -n 200 /var/log/messages | grep -E '(kernel|ecryptfs)'
Jul  9 13:01:48 dv6600 kernel: [   30.140501] iwl3945 0000:02:00.0: loaded firmware version 15.32.2.9
Jul  9 13:01:48 dv6600 kernel: [   30.221595] iwl3945 0000:02:00.0: Error setting Tx power (-5).
Jul  9 13:01:48 dv6600 kernel: [   30.230238] ADDRCONF(NETDEV_UP): wlan0: link is not ready
Jul  9 13:01:48 dv6600 kernel: [   30.281168] r8169 0000:08:00.0: eth0: link down
Jul  9 13:01:48 dv6600 kernel: [   30.282587] ADDRCONF(NETDEV_UP): eth0: link is not ready
Jul  9 13:01:49 dv6600 kernel: [   30.552666] ip6_tables: (C) 2000-2006 Netfilter Core Team
Jul  9 13:01:50 dv6600 kernel: [   31.684400] 802.1Q VLAN Support v1.8 Ben Greear <greearb>
Jul  9 13:01:50 dv6600 kernel: [   31.684404] All bugs added by David S. Miller <davem>
Jul  9 13:01:53 dv6600 systemd[1]: Startup finished in 1s 184ms 457us (kernel) + 6s 783ms 771us (initrd) + 26s 389ms 769us (userspace) = 34s 357ms 997us.
Jul  9 13:01:55 dv6600 kernel: [   37.084139] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/I�gc/4
Jul  9 13:02:15 dv6600 kernel: [   57.092385] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Jul  9 13:02:16 dv6600 pam: gdm-password[1294]: Error attempting to open [/home/jairot/.ecryptfs/wrapped-passphrase] for reading
Jul  9 13:02:16 dv6600 pam: gdm-password[1294]: Error attempting to unwrap passphrase from file [/home/jairot/.ecryptfs/wrapped-passphrase]; rc = [-5]
Jul  9 13:02:17 dv6600 kernel: [   59.129435] fuse init (API version 7.16)
Jul  9 13:06:07 dv6600 kernel: [  288.877794] cfg80211: Calling CRDA to update world regulatory domain
Jul  9 13:06:07 dv6600 kernel: [  288.932163] cfg80211: World regulatory domain updated:
Jul  9 13:06:07 dv6600 kernel: [  288.932168] cfg80211:     (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
Jul  9 13:06:07 dv6600 kernel: [  288.932173] cfg80211:     (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.932178] cfg80211:     (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.932182] cfg80211:     (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.932186] cfg80211:     (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.932190] cfg80211:     (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.932209] cfg80211: Calling CRDA for country: ES
Jul  9 13:06:07 dv6600 kernel: [  288.938235] cfg80211: Regulatory domain changed to country: ES
Jul  9 13:06:07 dv6600 kernel: [  288.938240] cfg80211:     (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
Jul  9 13:06:07 dv6600 kernel: [  288.938244] cfg80211:     (2402000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.938248] cfg80211:     (5170000 KHz - 5250000 KHz @ 40000 KHz), (N/A, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.938252] cfg80211:     (5250000 KHz - 5330000 KHz @ 40000 KHz), (N/A, 2000 mBm)
Jul  9 13:06:07 dv6600 kernel: [  288.938256] cfg80211:     (5490000 KHz - 5710000 KHz @ 40000 KHz), (N/A, 2700 mBm)

$ sudo tail -n 50 /var/log/secure
Jul  8 14:57:12 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Jul  8 14:57:17 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul  8 14:57:23 dv6600 pam: gdm-password[1272]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Jul  8 14:57:23 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul  8 14:57:38 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Jul  8 14:57:42 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 14:57:42 dv6600 pkexec[1632]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3]
Jul  8 14:57:48 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 14:57:48 dv6600 pkexec[1736]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10]
Jul  8 15:11:34 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 15:11:34 dv6600 pkexec[2251]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3]
Jul  8 15:11:40 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 15:11:40 dv6600 pkexec[2258]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10]
Jul  8 15:15:57 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 15:15:57 dv6600 pkexec[3427]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3]
Jul  8 15:16:05 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 15:16:05 dv6600 pkexec[3430]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10]
Jul  8 15:32:51 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 15:32:51 dv6600 pkexec[3824]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3]
Jul  8 15:33:00 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500)
Jul  8 15:33:00 dv6600 pkexec[3831]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10]
Jul  9 11:59:59 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Jul  9 11:59:59 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Jul  9 12:00:28 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.27 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul  9 12:00:35 dv6600 pam: gdm-password[1367]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Jul  9 12:00:35 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.27, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul  9 12:00:50 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.65 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Jul  9 12:10:02 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Jul  9 12:10:03 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Jul  9 12:10:09 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul  9 12:10:16 dv6600 pam: gdm-password[1271]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Jul  9 12:10:16 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul  9 12:10:31 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Jul  9 12:23:58 dv6600 pam: gdm-password[1271]: pam_unix(gdm-password:session): session closed for user jairot
Jul  9 12:29:07 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Jul  9 12:29:08 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Jul  9 12:29:13 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul  9 12:29:19 dv6600 pam: gdm-password[1296]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Jul  9 12:29:20 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul  9 12:29:35 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Jul  9 13:01:50 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Jul  9 13:01:50 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Jul  9 13:01:55 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul  9 13:02:16 dv6600 pam: gdm-password[1272]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Jul  9 13:02:17 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul  9 13:02:32 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Jul  9 13:05:02 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 200 /var/log/messages
Jul  9 13:05:43 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 50 /var/log/secure
Jul  9 13:06:07 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 200 /var/log/messages
Jul  9 13:06:09 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 50 /var/log/secure


> Well, I've almost forgot... SELinux, try if it works with selinux in permissive
> mode: 
> a) add "enforcing=0" as kernel argument in grub, 
> OR
> b) boot, ctrl-alt-f2, log in as root and execute:
> setenforce 0
> 
> then selinux will run in permissive mode until next reboot.

I chose option B and... It worked!
Starting session auto-mounted ~/Private, but SELinux gave me this alert:

SELinux is preventing /usr/libexec/gdm-session-worker from getattr access on the archivo /home/jairot/.ecryptfs/auto-mount.

*****  Sugerencia de complemento restorecon (82.4 confidence)  ***************

Siyou want to fix the label. 
/home/jairot/.ecryptfs/auto-mount default label should be user_home_t.
Entoncesyou can run restorecon.
Hacer
# /sbin/restorecon -v /home/jairot/.ecryptfs/auto-mount

*****  Sugerencia de complemento file (7.05 confidence)  *********************

Siyou think this is caused by a badly mislabeled machine.
Entoncesyou need to fully relabel.
Hacer
touch /.autorelabel; reboot

*****  Sugerencia de complemento file (7.05 confidence)  *********************

Siyou think this is caused by a badly mislabeled machine.
Entoncesyou need to fully relabel.
Hacer
touch /.autorelabel; reboot

*****  Sugerencia de complemento catchall_labels (4.59 confidence)  **********

Sidesea permitir que gdm-session-worker tenga getattr acceso al auto-mount file
Entoncesyou need to change the label on /home/jairot/.ecryptfs/auto-mount
Hacer
# semanage fcontext -a -t FILE_TYPE '/home/jairot/.ecryptfs/auto-mount'
where FILE_TYPE is one of the following: selinux_config_t, bin_t, cert_t, lib_t, usr_t, var_t, wtmp_t, xserver_exec_t, default_context_t, pam_console_exec_t, sosreport_tmp_t, hwdata_t, locale_t, sssd_public_t, var_auth_t, rpm_tmp_t, etc_t, fonts_t, dbusd_exec_t, user_fonts_t, user_tmpfs_t, proc_t, logfile, sysfs_t, xdm_t, ld_so_cache_t, loadkeys_exec_t, krb5_keytab_t, xdm_dbusd_t, xdm_spool_t, fonts_cache_t, system_cronjob_var_lib_t, ssh_agent_exec_t, plymouthd_var_log_t, policykit_var_lib_t, crack_db_t, user_tmp_t, ssh_home_t, xserver_tmpfs_t, krb5_conf_t, iceauth_home_t, plymouth_exec_t, xauth_exec_t, xauth_home_t, auth_cache_t, alsa_etc_rw_t, xdm_tmpfs_t, user_cron_spool_t, sysctl_dev_t, sysctl_net_t, rpm_exec_t, admin_home_t, security_t, pulseaudio_exec_t, mount_exec_t, gconf_etc_t, shell_exec_t, consolekit_log_t, pam_exec_t, krb5_home_t, proc_afs_t, oddjob_mkhomedir_exec_t, xserver_log_t, dbusd_etc_t, abrt_var_run_t, var_lib_t, user_home_t, updpwd_exec_t, xdm_tmp_t, userdomain, xserver_t, fusermount_exec_t, configfile, domain, rpm_var_cache_t, faillog_t, logfile, lastlog_t, sysctl_crypto_t, proc_net_t, var_log_t, chkpwd_exec_t, policykit_reload_t, xdm_etc_t, xdm_log_t, gnome_home_type, user_tmp_t, hostname_exec_t, samba_var_t, initrc_var_run_t, gkeyringd_exec_t, pam_var_run_t, rpm_var_lib_t, xdm_var_lib_t, xdm_var_run_t, net_conf_t, abrt_t, init_exec_t, lib_t, etc_runtime_t, anon_inodefs_t, gconf_home_t, openct_var_run_t, sysctl_kernel_t, config_usr_t, abrt_helper_exec_t, pcscd_var_run_t, udev_var_run_t, alsa_exec_t, xkb_var_lib_t, shutdown_exec_t, consoletype_exec_t, user_home_t, xdm_rw_etc_t, ld_so_t, accountsd_var_lib_t, xdm_exec_t, xdm_home_t, xdm_lock_t, pam_var_console_t, textrel_shlib_t, system_dbusd_var_lib_t, policykit_auth_exec_t, cgroup_t, rpm_script_tmp_t, krb5_host_rcache_t, cert_t, init_t, security_t, systemd_systemctl_exec_t, net_conf_t, file_context_t, xsession_exec_t, shell_exec_t. 
Then execute: 
restorecon -v '/home/jairot/.ecryptfs/auto-mount'


*****  Sugerencia de complemento catchall (1.31 confidence)  *****************

Siyou believe that gdm-session-worker should be allowed getattr access on the auto-mount file by default.
Entoncesyou should report this as a bug.
You can generate a local policy module to allow this access.
Hacer
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Contexto Fuente               system_u:system_r:xdm_t:s0-s0:c0.c1023
Contexto Destino              unconfined_u:object_r:file_t:s0
Objetos Destino               /home/jairot/.ecryptfs/auto-mount [ file ]
Fuente                        gdm-session-wor
Dirección de Fuente           /usr/libexec/gdm-session-worker
Puerto                        <Desconocido>
Nombre de Equipo              dv6600.casa
Paquetes RPM Fuentes          gdm-3.0.4-1.fc15
Paquetes RPM Destinos         
RPM de Políticas              selinux-policy-3.9.16-30.fc15
SELinux Activado              True
Tipo de Política              targeted
Modo Obediente                Permissive
Nombre de Equipo              dv6600.casa
Plataforma                    Linux dv6600.casa 2.6.38.8-32.fc15.x86_64 #1 SMP
                              Mon Jun 13 19:49:05 UTC 2011 x86_64 x86_64
Cantidad de Alertas           3
Visto por Primera Vez         sáb 09 jul 2011 13:10:29 CEST
Visto por Última Vez          sáb 09 jul 2011 13:10:34 CEST
ID Local                      e928a8d2-af20-4560-b57c-959986c7e7cb

Mensajes de Auditoría Crudos
type=AVC msg=audit(1310209834.515:63): avc:  denied  { getattr } for  pid=1368 comm="gdm-session-wor" path="/home/jairot/.ecryptfs/auto-mount" dev=sda7 ino=3015342 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file


type=SYSCALL msg=audit(1310209834.515:63): arch=x86_64 syscall=stat success=yes exit=0 a0=1f7e390 a1=7fffe0e8b4c0 a2=7fffe0e8b4c0 a3=6564726f6365722e items=0 ppid=1276 pid=1368 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=2 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gdm-session-wor,xdm_t,file_t,file,getattr

audit2allow

#============= xdm_t ==============
allow xdm_t file_t:file getattr;

audit2allow -R

#============= xdm_t ==============
allow xdm_t file_t:file getattr;

Comment 21 Michal Hlavinka 2011-07-11 10:14:20 UTC
> > Well, I've almost forgot... SELinux, try if it works with selinux in permissive
> > mode: 
> > a) add "enforcing=0" as kernel argument in grub, 
> > OR
> > b) boot, ctrl-alt-f2, log in as root and execute:
> > setenforce 0
> > 
> > then selinux will run in permissive mode until next reboot.
> 
> I chose option B and... It worked!
> Starting session auto-mounted ~/Private, but SELinux gave me this alert:
> 

ok, so let's get attention from SELinux team, ccing mgrepl

Comment 22 Yajo 2011-07-11 13:13:29 UTC
Today I installed the nVidia drivers from rpmfusion and made a kernel rebuild with this:

yum install kmod-nvidia
new-kernel-pkg --mkinitrd --dracut --update $(rpm -q --queryformat="%{version}-%{release}.%{arch}\n" kernel | tail -n 1)

Unexpectedly I noticed that just after doing this and rebooting, ~/Private automounts perfectly.

I don't fully understand why this now works, I was only following the instructions in http://www.fedorafaq.org/#nvidia.

Comment 23 Yajo 2011-07-14 08:14:56 UTC
I think I broke something by that new-kernel-pkg command, as after an upgrade I wasn't able to start graphic mode.

I reinstalled F15, and kmod-nvidia without the new-kernel-pkg stuff and now the system works, but now ecryptfs' bug is present again.

Comment 24 Michal Hlavinka 2011-07-14 08:43:57 UTC
does it still work if you try selinux permissive mode?

Comment 25 Yajo 2011-07-17 07:42:19 UTC
(In reply to comment #24)
> does it still work if you try selinux permissive mode?

Not this time.

This is weird. Now it's even worse: the first time I mount it, it mounts badly.

See this terminal session just after login, running in permissive mode:


$ ls ~/Private/ # At startup it is not mounted
Access-Your-Private-Data.desktop  README.txt

$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring

$ ls ~/Private/ # After 1st mount, wrong files appear
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g..iE1EwEwXDMubyWsWfxR----
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR---
ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2-

$ ecryptfs-umount-private 

$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring

$ ls ~/Private/ # After 2nd mount, good files appear
private-file-1  private-file-2

Comment 26 Yajo 2011-07-28 11:43:12 UTC
any updates on this?

Comment 27 Michal Hlavinka 2011-07-28 13:15:25 UTC
right, I've located several issues and fixed them, so please test ecryptfs-utils-87-7.fc15:

sudo yum update --enablerepo=updates-testing ecryptfs-utils

if it works for you. It's possible some selinux fixes are required too, so if it does not work, try it with selinux in permissive mode and attach output of

sudo tail -n 50 /var/log/secure

thanks

Comment 28 Yajo 2011-08-02 17:16:17 UTC
(In reply to comment #27)
> right, I've located several issues and fixed them, so please test
> ecryptfs-utils-87-7.fc15:
> 
> sudo yum update --enablerepo=updates-testing ecryptfs-utils

I updated it, but the problem persists.

> if it works for you. It's possible some selinux fixes are required too, so if
> it does not work, try it with selinux in permissive mode and attach output of
> 
> sudo tail -n 50 /var/log/secure
> 
> thanks

It does not work, but anyway:

$ sudo tail -n 50 /var/log/secure
Jul 31 11:48:53 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.70, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) (disconnected from bus)
Jul 31 11:49:06 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.108 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 31 11:50:39 dv6600 pam: gdm-password[13593]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Jul 31 11:50:39 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.108, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 31 11:50:52 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session4 (system bus name :1.139 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Jul 31 19:34:51 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Jul 31 19:34:51 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Jul 31 19:34:57 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 31 19:35:13 dv6600 pam: gdm-password[1270]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Jul 31 19:35:14 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 31 19:35:30 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.68 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Jul 31 20:38:25 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/semanage fcontext -a -t SIMILAR_TYPE nvidiactl
Jul 31 20:38:40 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/sbin/restorecon -v nvidiactl
Jul 31 20:39:42 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/setsebool -P wine_mmap_zero_ignore 1
Aug  2 18:07:13 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.68, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) (disconnected from bus)
Aug  2 18:07:16 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.199 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Aug  2 18:55:50 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/yum update --enablerepo=updates-testing ecryptfs-utils
Aug  2 18:58:13 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Aug  2 18:58:13 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Aug  2 18:58:18 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug  2 18:58:23 dv6600 pam: gdm-password[1296]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Aug  2 18:58:23 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Aug  2 18:58:38 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.66 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Aug  2 18:59:09 dv6600 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Aug  2 18:59:09 dv6600 login: ROOT LOGIN ON tty2
Aug  2 18:59:15 dv6600 login: pam_unix(login:session): session closed for user root
Aug  2 19:00:29 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Aug  2 19:00:29 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Aug  2 19:00:34 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug  2 19:00:38 dv6600 pam: gdm-password[1300]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Aug  2 19:00:38 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Aug  2 19:00:54 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.66 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Aug  2 19:02:07 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
Aug  2 19:02:07 dv6600 runuser: pam_unix(runuser:session): session closed for user root
Aug  2 19:02:14 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug  2 19:02:22 dv6600 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Aug  2 19:02:22 dv6600 login: ROOT LOGIN ON tty2
Aug  2 19:02:25 dv6600 login: pam_unix(login:session): session closed for user root
Aug  2 19:02:31 dv6600 pam: gdm-password[1287]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0)
Aug  2 19:02:31 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Aug  2 19:02:47 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.71 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8)
Aug  2 19:05:14 dv6600 sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 50 /var/log/secure

Comment 29 Michal Hlavinka 2011-08-03 06:22:30 UTC
that's odd, I don't see any ecryptfs message in the log, so ecryptfs pam modules is not used in your case. Do you still have ecryptfs in postlogin as you had in comment #17? Do you have ecryptfs-utils-87-7.fc15 ? ( rpm -q ecryptfs-utils will tell you) Do you use normal password for log in or something special? Like fingerprint reader,... ? Please test if it works in terminal - after logging in as root and switching selinux to permisive mode, switch to another terminal (alt-f3 for example) and try to log in as normal user.

Comment 30 Michal Hlavinka 2011-08-03 14:49:34 UTC
and one small change - use ecryptfs-utils-87-8.fc15, last version contains one fix you need, but it also contains some regression(works only for ssh login : ssh <user>@localhost , but it still does not explain why there are no ecryptfs messages in secure log). So -87-8.fc15 is needed. This version is not in the updates-testing repository (yet), but you can update ecryptfs-utils using:

yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/8.fc15/x86_64/ecryptfs-utils-87-8.fc15.x86_64.rpm

Comment 31 Yajo 2011-08-07 09:39:20 UTC
Before anything, sorry for delaying, I had to reinstall Fedora and did not have the computer available for awhile.

(In reply to comment #30)
> -87-8.fc15 is needed. This version is not in the
> updates-testing repository (yet), but you can update ecryptfs-utils using:
> 
> yum localupdate --nogpgcheck
> http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/8.fc15/x86_64/ecryptfs-utils-87-8.fc15.x86_64.rpm

Done.

(In reply to comment #29)
> that's odd, I don't see any ecryptfs message in the log, so ecryptfs pam
> modules is not used in your case. Do you still have ecryptfs in postlogin as
> you had in comment #17?

Oops I did not. After reinstalling I forgot to do the authconfig stuff. So, I did:

$ authconfig --enableecryptfs --updateall
$ cat /etc/pam.d/postlogin
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        optional      pam_ecryptfs.so unwrap

password    optional      pam_ecryptfs.so unwrap

session     optional      pam_ecryptfs.so unwrap
$ sudo reboot

After rebooting, bug persists.


> Do you have ecryptfs-utils-87-7.fc15 ? ( rpm -q
> ecryptfs-utils will tell you)

$ rpm -q ecryptfs-utils
ecryptfs-utils-87-8.fc15.x86_64

> Do you use normal password for log in or
> something special? Like fingerprint reader,... ?

Normal password. And it is the same that I use as wrapper for ecryptfs (I don't know if it matters).

> Please test if it works in
> terminal - after logging in as root and switching selinux to permisive mode,
> switch to another terminal (alt-f3 for example) and try to log in as normal
> user.

I did that and bug persists also.

BTW, after doing authconfig --enableecryptfs --updateall, seems like now there is something helpful in the log:

$ sudo cat /var/log/secure | grep ecryptfs
Aug  7 08:05:58 hpfedora sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/usermod -aG ecryptfs jairot
Aug  7 08:05:58 hpfedora usermod[2113]: add 'jairot' to group 'ecryptfs'
Aug  7 08:05:58 hpfedora usermod[2113]: add 'jairot' to shadow group 'ecryptfs'
Aug  7 11:10:33 hpfedora sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/8.fc15/x86_64/ecryptfs-utils-87-8.fc15.x86_64.rpm
Aug  7 11:23:23 hpfedora sudo:   jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/authconfig --enableecryptfs --updateall
Aug  7 11:31:55 hpfedora login: Unable to get ecryptfs pam data : No such file or directory
Aug  7 11:32:06 hpfedora login: Incorrect wrapping key for file [/home/jairot/.ecryptfs/wrapped-passphrase]
Aug  7 11:32:06 hpfedora login: Error attempting to unwrap passphrase from file [/home/jairot/.ecryptfs/wrapped-passphrase]; rc = [-5]

I hope it helps. Thanks for all.

Comment 32 Michal Hlavinka 2011-08-09 13:11:16 UTC
OK, I've found and fixed two bugs:

> $ sudo cat /var/log/secure | grep ecryptfs

this does not work correctly, because "ecryptfs" was not present in all error messages, but I've changed it and all messages are now prefixed with "ecryptfs:" so you can use grep now

>  Aug  7 11:31:55 hpfedora login: Unable to get ecryptfs pam data : No such file
or directory

this should not happen (and error messages is wrong). It should work now, or at least improved error messages should tell us what's wrong

> Aug  7 11:32:06 hpfedora login: Incorrect wrapping key for file
[/home/jairot/.ecryptfs/wrapped-passphrase]
> Aug  7 11:32:06 hpfedora login: Error attempting to unwrap passphrase from file
[/home/jairot/.ecryptfs/wrapped-passphrase]; rc = [-5]

there was some problem with passphrase survival between auth and session pam calls, it's fixed now

please this version:

yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm

thanks

Comment 33 Yajo 2011-08-09 13:29:42 UTC
(In reply to comment #32)
> there was some problem with passphrase survival between auth and session pam
> calls, it's fixed now
> 
> please this version:
> 
> yum localupdate --nogpgcheck
> http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm
> 
> thanks

I did that, rebooted, and now it works perfectly.

Good work, thanks a lot.

Comment 34 Yajo 2011-08-16 20:23:01 UTC
Sorry to bother you again with this. Seems like this issue is not solved at 100%.

If automount is turned on, works fine, but if I turn it off, reboot and try to mount it manually with ecryptfs-mount-private, I have exactly the same issue as in comment #25.

I tried in permissive mode and it does the same.

Comment 35 Michal Hlavinka 2011-08-17 13:28:41 UTC
I've tried to reproduce it, but it's working for me.
Do you have any ecryptfs messages in /var/log/messages ?

What is output of

mount | grep ecryptfs
and
keyctl show

after ecryptfs-mount-private?

Does it work after second mount like in comment #25? If it works, what is output of mount and keyctl this time?

Comment 36 Yajo 2011-08-18 15:48:54 UTC
(In reply to comment #35)
> I've tried to reproduce it, but it's working for me.
> Do you have any ecryptfs messages in /var/log/messages ?
> 
> What is output of
> 
> mount | grep ecryptfs
> and
> keyctl show
> 
> after ecryptfs-mount-private?

$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring

$ ls Private/
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR---
ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2-

$ mount | grep ecryptfs
/home/jairot/.Private on /home/jairot/Private type ecryptfs (rw,relatime,ecryptfs_sig=4f4809770febd99e,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

$ keyctl show
Session Keyring
       -3 --alswrv    500   500  keyring: _ses
738559970 --alswrv    500    -1   \_ keyring: _uid.500
508586078 --alswrv    500   500       \_ user: 4f4809770febd99e


> Does it work after second mount like in comment #25? If it works, what is
> output of mount and keyctl this time?

It does. Continuing previous console session:

$ ecryptfs-umount-private 

$ ls Private/
Access-Your-Private-Data.desktop  README.txt

$ mount | grep ecryptfs

$ keyctl show
Session Keyring
       -3 --alswrv    500   500  keyring: _ses
738559970 --alswrv    500    -1   \_ keyring: _uid.500

$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring

$ ls Private/
private-file-1  private-file-2

$ mount | grep ecryptfs
/home/jairot/.Private on /home/jairot/Private type ecryptfs (rw,relatime,ecryptfs_fnek_sig=b43e2e813afe7c23,ecryptfs_sig=4f4809770febd99e,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

$ keyctl show
Session Keyring
       -3 --alswrv    500   500  keyring: _ses
738559970 --alswrv    500    -1   \_ keyring: _uid.500
983281705 --alswrv    500   500       \_ user: b43e2e813afe7c23
271662912 --alswrv    500   500       \_ user: 4f4809770febd99e


Doing `cat /var/log/secure | grep ecryptfs` brings out nothing...

Comment 37 Michal Hlavinka 2011-08-19 09:27:16 UTC
Thanks. So your keyring after first attempt contains only file encryption key, but file name encryption key is missing. Please paste what you get when running:

bash -x /usr/bin/ecryptfs-mount-private

instead of just ecryptfs-mount-private

also what is content of your ~/.ecryptfs/Private.sig ?

> Doing `cat /var/log/secure | grep ecryptfs` brings out nothing...

/var/log/secure is used only for pam automount, standard log is /var/log/messages

PS:be sure to have latest version from updates-testing repository (ecryptfs-utils-90-1.fc15), there are some fixes in ecryptfs-mount-private. They are probably not related to your problem. It's just so I can compare your output with the expected one from the same version.

Comment 38 Alex 2011-08-19 17:40:06 UTC
The proposed fix has a dependency problem with glibc, it wants glibc_2.14 where RHEL 6.x type os is glibc_2.12 based. Is this fix only available in Fedora?

(automount also fails here while manual mount works fine)

(In reply to comment #32)
> please this version:
> 
> yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm
> 
> thanks

Comment 39 Alex 2011-08-20 22:23:48 UTC
I tried the commands below. One is not supposed to install Fedora RPMs on RHEL based OS, but I didn't know any onther way.

rpm --force --nodeps -Uvh http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-2.14-5.x86_64.rpm http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-common-2.14-5.x86_64.rpm
yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm
authconfig --enableecryptfs --updateall

Something DID change, as authconfig no longer outputs:
"authconfig.py: error: no such option: --enableecryptfs"

But my privates are still not automounted when I enter my session.

There is still no pam_ecryptfs.so in /etc/pam.d/system-auth but there is something:

# grep -iH ecryptfs /etc/pam.d/*
/etc/pam.d/postlogin-ac:auth        optional      pam_ecryptfs.so unwrap
/etc/pam.d/postlogin-ac:password    optional      pam_ecryptfs.so unwrap
/etc/pam.d/postlogin-ac:session     optional      pam_ecryptfs.so unwrap

So here is some more interesting fiddling around after logging in, I hope someone can give me some pointers on making this work.

$ mount | grep ecryptfs
(nothing)
$ keyctl list @us
1 key in keyring:
973882876: --alswrv   500    -1 keyring: _uid.500
$ keyctl read 973882876
No data in key

$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [blah] into the user session keyring
$ mount | grep ecryptfs
/home/user/.Private on /home/user/Private type ecryptfs (blahblah)
$ keyctl read 973882876
8 bytes of data in key:
00f91321 c5080815

Comment 40 Michal Hlavinka 2011-08-22 11:32:35 UTC
(In reply to comment #38)
> The proposed fix has a dependency problem with glibc, it wants glibc_2.14 where
> RHEL 6.x type os is glibc_2.12 based. Is this fix only available in Fedora?

yes

If you want this fix in RHEL6 you have to file a new feature request (bug): 1. for authconfig and 2. for ecryptfs-utils

> rpm --force --nodeps -Uvh
> http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-2.14-5.x86_64.rpm
> http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-common-2.14-5.x86_64.rpm

this will break your system. You can't use Fedora packages in RHEL

Comment 41 Yajo 2011-08-22 14:05:29 UTC
(In reply to comment #37)

I hope the following helps.

> PS:be sure to have latest version from updates-testing repository
> (ecryptfs-utils-90-1.fc15), there are some fixes in ecryptfs-mount-private.
> They are probably not related to your problem. It's just so I can compare your
> output with the expected one from the same version.

I had an older version. Now it is updated.

$ rpm -q ecryptfs-utils
ecryptfs-utils-90-1.fc15.x86_64

> Thanks. So your keyring after first attempt contains only file encryption key,
> but file name encryption key is missing. Please paste what you get when
> running:
> 
> bash -x /usr/bin/ecryptfs-mount-private
> 
> instead of just ecryptfs-mount-private

15:51:51 jairot@hpfedora ~
$ bash -x /usr/bin/ecryptfs-mount-private
+ PRIVATE_DIR=Private
+ WRAPPING_PASS=LOGIN
+ PW_ATTEMPTS=3
+ TEXTDOMAIN=ecryptfs-utils
++ gettext 'Enter your login passphrase:'
+ MESSAGE='Enter your login passphrase:'
+ '[' -f /home/jairot/.ecryptfs/wrapping-independent ']'
+ WRAPPED_PASSPHRASE_FILE=/home/jairot/.ecryptfs/wrapped-passphrase
+ MOUNT_PASSPHRASE_SIG_FILE=/home/jairot/.ecryptfs/Private.sig
+ /sbin/mount.ecryptfs_private
+ '[' -f /home/jairot/.ecryptfs/wrapped-passphrase -a -f /home/jairot/.ecryptfs/Private.sig ']'
+ tries=0
++ stty -g
+ stty_orig=6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ '[' 0 -lt 3 ']'
+ echo -n 'Enter your login passphrase:'
Enter your login passphrase:+ stty -echo
++ head -n1
+ LOGINPASS=******
+ stty 6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ echo

++ wc -l
+ '[' 2 = 1 ']'
+ printf '%s\0' ******
+ ecryptfs-insert-wrapped-passphrase-into-keyring /home/jairot/.ecryptfs/wrapped-passphrase -
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring
+ break
+ '[' 0 -ge 3 ']'
+ /sbin/mount.ecryptfs_private
+ grep -qs '/home/jairot/.Private /home/jairot ecryptfs ' /proc/mounts
+ exit 0

15:54:39 jairot@hpfedora ~
$ ls Private/
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR---
ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2-

15:55:04 jairot@hpfedora ~
$ bash -x /usr/bin/ecryptfs-umount-private 
+ TEXTDOMAIN=ecryptfs-utils
+ grep -qs '/home/jairot/.Private /home/jairot ecryptfs ' /proc/mounts
+ /sbin/umount.ecryptfs_private
++ cat /home/jairot/.ecryptfs/Private.sig
+ for sig in '`cat "$HOME/.ecryptfs/Private.sig"`'
++ keyctl list @u
++ grep '4f4809770febd99e$'
++ awk -F: '{print $1}'
+ for sig in '`cat "$HOME/.ecryptfs/Private.sig"`'
++ awk -F: '{print $1}'
++ grep 'b43e2e813afe7c23$'
++ keyctl list @u
+ '[' '' = 1 ']'

15:55:11 jairot@hpfedora ~
$ bash -x /usr/bin/ecryptfs-mount-private
+ PRIVATE_DIR=Private
+ WRAPPING_PASS=LOGIN
+ PW_ATTEMPTS=3
+ TEXTDOMAIN=ecryptfs-utils
++ gettext 'Enter your login passphrase:'
+ MESSAGE='Enter your login passphrase:'
+ '[' -f /home/jairot/.ecryptfs/wrapping-independent ']'
+ WRAPPED_PASSPHRASE_FILE=/home/jairot/.ecryptfs/wrapped-passphrase
+ MOUNT_PASSPHRASE_SIG_FILE=/home/jairot/.ecryptfs/Private.sig
+ /sbin/mount.ecryptfs_private
+ '[' -f /home/jairot/.ecryptfs/wrapped-passphrase -a -f /home/jairot/.ecryptfs/Private.sig ']'
+ tries=0
++ stty -g
+ stty_orig=6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ '[' 0 -lt 3 ']'
+ echo -n 'Enter your login passphrase:'
Enter your login passphrase:+ stty -echo
++ head -n1
+ LOGINPASS=******
+ stty 6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ echo

++ wc -l
+ '[' 2 = 1 ']'
+ printf '%s\0' ******
+ ecryptfs-insert-wrapped-passphrase-into-keyring /home/jairot/.ecryptfs/wrapped-passphrase -
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring
+ break
+ '[' 0 -ge 3 ']'
+ /sbin/mount.ecryptfs_private
+ grep -qs '/home/jairot/.Private /home/jairot ecryptfs ' /proc/mounts
+ exit 0

15:55:18 jairot@hpfedora ~
$ ls Private/
private-file-1  private-file-2

> also what is content of your ~/.ecryptfs/Private.sig ?

$ cat ~/.ecryptfs/Private.sig 
4f4809770febd99e
b43e2e813afe7c23

> > Doing `cat /var/log/secure | grep ecryptfs` brings out nothing...
> 
> /var/log/secure is used only for pam automount, standard log is
> /var/log/messages

16:01:14 jairot@hpfedora ~
$ sudo cat /var/log/messages | grep ecryptfs
Aug 22 15:15:00 hpfedora pam: gdm-fingerprint[1293]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module
Aug 22 15:15:00 hpfedora pam: gdm-fingerprint[1293]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [jairot]
Aug 22 15:15:02 hpfedora pam: gdm-password[1292]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module
Aug 22 15:15:02 hpfedora pam: gdm-password[1292]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [jairot]
Aug 22 15:15:03 hpfedora pam: gdm-password[1292]: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present
Aug 22 15:15:03 hpfedora pam: gdm-password[1308]: ecryptfs: private_dir: Skipping automatic eCryptfs mount
Aug 22 15:51:49 hpfedora yum[16273]: Updated: ecryptfs-utils-90-1.fc15.x86_64
Aug 22 15:54:39 hpfedora kernel: [ 2418.236517] ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid]
Aug 22 15:55:18 hpfedora kernel: [ 2457.249033] ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid]

Comment 42 Michal Hlavinka 2011-08-30 15:07:38 UTC
Ok, I have first guess what's going on here. Before first ecryptfs-mount-private (using bash -x is no longer needed) you probably do not have ecryptfs module loaded. Check this with this command, it should return nothing:

lsmod | grep ecryptfs

still before ecryptfs-mount-private, load ecryptfs module:

mount.ecryptfs_private --loadmodule

then try to mount it with ecryptfs-mount-private. Does it work?

Comment 43 Yajo 2011-09-04 13:47:58 UTC
(In reply to comment #42)
> Ok, I have first guess what's going on here. Before first
> ecryptfs-mount-private (using bash -x is no longer needed) you probably do not
> have ecryptfs module loaded. Check this with this command, it should return
> nothing:
> 
> lsmod | grep ecryptfs

True.

> still before ecryptfs-mount-private, load ecryptfs module:
> 
> mount.ecryptfs_private --loadmodule
> 
> then try to mount it with ecryptfs-mount-private. Does it work?

Yes!

Comment 44 Michal Hlavinka 2011-09-09 08:06:28 UTC
it should be fixed in ecryptfs-utils-90-2.fc15 (in updates-testing repository)

Comment 45 Yajo 2011-09-09 11:56:44 UTC
(In reply to comment #44)
> it should be fixed in ecryptfs-utils-90-2.fc15 (in updates-testing repository)

It works!

Comment 46 Alex 2011-09-29 22:10:07 UTC
This is now quite a long thread, and I am hoping that someone can summarize how to make this work. I installed Fedora 15 on my Thinkpad Edge today.

* Fedora 15 contains ecryptfs-utils-90-2.fc15 from the updates repo after installing ecryptfs-utils
* ecryptfs-setup-private works
* ecryptfs-mount-private works
* automount on login (automated through PAM) does not work, so
    * privatizing .config dirs and symlinking to Private fails

* auto-umount on logout does not work either, but maybe that only works when Private was automatically mounted in the first place. Not through ecryptfs-mount-private.

* Also, after doing this on a brand new installation, I was not sudoer anymore. I used to. (??)

Comment 47 Paolo Bonzini 2011-09-30 10:56:08 UTC
> * automount on login (automated through PAM) does not work, so
>     * privatizing .config dirs and symlinking to Private fails

Sorry for asking the obvious, but: did you set this up via "authconfig --enableecryptfs --updateall" as root?

Comment 48 Alex 2011-09-30 13:03:23 UTC
@Paolo Bonzini: No. *blush*

As you can see in reply #39, I was aware of this, but I plain old stupid forgot. I will try this out soon, but I am sure it will work.

Anyway, to bring something relevant to the table, the man page for ecryptfs-setup-private mentions the flag -a --all-home, but it is not supported.

Comment 49 Francesco 2011-10-24 13:36:15 UTC
Fresh new F15 and up-to-date installation (to day is my Fedora Day! yeah),

# tail -n10 /var/log/messages

Oct 24 15:31:04 dotto pam: gdm-fingerprint[5278]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module
Oct 24 15:31:04 dotto pam: gdm-fingerprint[5278]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [fdaluisio]
Oct 24 15:31:04 dotto gdm[5293]: ******************* START **********************************
Oct 24 15:31:04 dotto gdm[5293]: ******************* END **********************************
Oct 24 15:31:06 dotto pam: gdm-password[5277]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module
Oct 24 15:31:06 dotto pam: gdm-password[5277]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [fdaluisio]
Oct 24 15:31:06 dotto pam: gdm-password[5302]: ecryptfs: fill_keyring: Passphrase file wrapped
Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to open [/home/fdaluisio/.ecryptfs/wrapped-passphrase] for reading
Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to unwrap passphrase from file [/home/fdaluisio/.ecryptfs/wrapped-passphrase]; rc = [-5]
Oct 24 15:31:07 dotto pam: gdm-password[5302]: ecryptfs: fill_keyring: Error adding passphrase key token to user session keyring; rc = [-5]
Oct 24 15:31:07 dotto pam: gdm-password[5309]: WARNING: unable to log session



# rpm -qa "ecrypfs*"
ecryptfs-utils-90-2.fc15.i686

# rpm -qa "glibc*" 
glibc-common-2.14-5.i686
glibc-2.14-5.i686

NOTE: 
fdaluisio is in ecryptfs group, 
ecryptfs-mount-private e ecryptfs-umount-private via bash after login unwrap keys and mount Private directory
but auto-mount at login not mount Private 
USEECRYPTFS=yes in /etc/sysconfig/authconfig is OK and --updateall from root is done

[root@dotto pam.d]# grep ecryptfs * 
postlogin:auth        optional      pam_ecryptfs.so unwrap
postlogin:password    optional      pam_ecryptfs.so unwrap
postlogin:session     optional      pam_ecryptfs.so unwrap
postlogin-ac:auth        optional      pam_ecryptfs.so unwrap
postlogin-ac:password    optional      pam_ecryptfs.so unwrap
postlogin-ac:session     optional      pam_ecryptfs.so unwrap


Trouble with gdm-password?

Comment 50 Ling Li 2011-10-24 21:00:36 UTC
Fedora 16 beta, after successfully doing

authconfig --enableecryptfs --updateall
usermod -G ecryptfs <user>
ecryptfs-migrate-home -u <user>

the login still fails to mount Private, due to SELinux preventing /bin/login to access files in /home/.ecryptfs/<user>/.ecryptfs.  Below is one of the details from sealert:

SELinux is preventing /bin/login from 'read' accesses on the file wrapped-passphrase.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that login should be allowed read access on the wrapped-passphrase file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep login /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                wrapped-passphrase [ file ]
Source                        login
Source Path                   /bin/login
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-2.20.1-1.fc16
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-46.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux panda
                              3.1.0-0.rc10.git0.1.fc16.x86_64 #1 SMP Wed Oct 19
                              05:02:17 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 24 Oct 2011 04:50:47 PM EDT
Last Seen                     Mon 24 Oct 2011 04:50:47 PM EDT
Local ID                      8e425981-86a4-473a-8695-001350285536

Raw Audit Messages
type=AVC msg=audit(1319489447.604:206): avc:  denied  { read } for  pid=4574 comm="login" name="wrapped-passphrase" dev=dm-6 ino=130070 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1319489447.604:206): arch=x86_64 syscall=open success=no exit=EACCES a0=1771f80 a1=0 a2=0 a3=0 items=0 ppid=3470 pid=4574 auid=1000 uid=1000 gid=0 euid=1000 suid=1000 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=tty4 ses=9 comm=login exe=/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

Hash: login,local_login_t,user_home_t,file,read

audit2allow

#============= local_login_t ==============
allow local_login_t user_home_t:file read;

audit2allow -R

#============= local_login_t ==============
allow local_login_t user_home_t:file read;

Comment 51 Michal Hlavinka 2011-10-25 07:36:43 UTC
(In reply to comment #50)
> Fedora 16 beta, after successfully doing
> 
> authconfig --enableecryptfs --updateall
> usermod -G ecryptfs <user>
> ecryptfs-migrate-home -u <user>
> 
> the login still fails to mount Private, due to SELinux preventing /bin/login to
> access files in /home/.ecryptfs/<user>/.ecryptfs.  

known issue, see bug #712048

Comment 52 Michal Hlavinka 2011-10-25 07:39:50 UTC
(In reply to comment #49)
> Fresh new F15 and up-to-date installation (to day is my Fedora Day! yeah),
> 
> # tail -n10 /var/log/messages
> 
...
> Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to open
> [/home/fdaluisio/.ecryptfs/wrapped-passphrase] for reading
> Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to unwrap
> passphrase from file [/home/fdaluisio/.ecryptfs/wrapped-passphrase]; rc = [-5]
> Oct 24 15:31:07 dotto pam: gdm-password[5302]: ecryptfs: fill_keyring: Error
> adding passphrase key token to user session keyring; rc = [-5]

interesting, I'll look at it, what is output of 

ll /home/fdaluisio/.ecryptfs/

on your system?

Comment 53 Miroslav Grepl 2011-10-25 07:44:36 UTC
(In reply to comment #51)
> (In reply to comment #50)
> > Fedora 16 beta, after successfully doing
> > 
> > authconfig --enableecryptfs --updateall
> > usermod -G ecryptfs <user>
> > ecryptfs-migrate-home -u <user>
> > 
> > the login still fails to mount Private, due to SELinux preventing /bin/login to
> > access files in /home/.ecryptfs/<user>/.ecryptfs.  
> 
> known issue, see bug #712048

Ling,
are you interested in testing of a local policy for ecryptfs?

Comment 54 Francesco 2011-10-25 07:50:51 UTC
(In reply to comment #52)
> interesting, I'll look at it, what is output of 
> 
> ll /home/fdaluisio/.ecryptfs/
> 
> on your system?

Sure, selinux seems ok

fdaluisio@dotto:~/.ecryptfs$ ll -Z *
-rw-rw-r--. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 auto-mount
-rw-rw-r--. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 auto-umount
-rw-------. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 Private.mnt
-rw-------. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 Private.sig
-r--------. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 wrapped-passphrase

Comment 55 Francesco 2011-10-25 08:08:49 UTC
(In reply to comment #54)
> (In reply to comment #52)
> > interesting, I'll look at it, what is output of 
> > 
> > ll /home/fdaluisio/.ecryptfs/
> > 
> > on your system?

fdaluisio@dotto:~/.ecryptfs$ ll
totale 20
drwx------.  2 fdaluisio fdaluisio 4096 24 ott 15.03 ./
drwxr-xr-x. 83 fdaluisio fdaluisio 4096 25 ott 10.14 ../
-rw-rw-r--.  1 fdaluisio fdaluisio    0 24 ott 15.03 auto-mount
-rw-rw-r--.  1 fdaluisio fdaluisio    0 24 ott 15.03 auto-umount
-rw-------.  1 fdaluisio fdaluisio   24 24 ott 15.03 Private.mnt
-rw-------.  1 fdaluisio fdaluisio   34 24 ott 15.03 Private.sig
-r--------.  1 fdaluisio fdaluisio   48 24 ott 15.03 wrapped-passphrase

Comment 56 Ling Li 2011-10-26 00:55:46 UTC
(In reply to comment #53)
> (In reply to comment #51)
> > (In reply to comment #50)
> > > Fedora 16 beta, after successfully doing
> > > 
> > > authconfig --enableecryptfs --updateall
> > > usermod -G ecryptfs <user>
> > > ecryptfs-migrate-home -u <user>
> > > 
> > > the login still fails to mount Private, due to SELinux preventing /bin/login to
> > > access files in /home/.ecryptfs/<user>/.ecryptfs.  
> > 
> > known issue, see bug #712048
> 
> Ling,
> are you interested in testing of a local policy for ecryptfs?

Of course.  Please just let me know what I should do.

Comment 57 Yajo 2011-11-15 09:30:06 UTC
In a fresh F16, bug persists.
No configuration changes (just installed F16 in top of F15)
~/Private does not auto-mount.

(In reply to comment #19)
> b) boot, ctrl-alt-f2, log in as root and execute:
> setenforce 0
> 
> then selinux will run in permissive mode until next reboot.

The above again solves the problem, so it seems related to SELinux.

Additional info:
$ rpm -q selinux-policy ecryptfs-utils
selinux-policy-3.10.0-55.fc16.noarch
ecryptfs-utils-90-2.fc16.x86_64

Comment 58 Yajo 2011-11-15 09:30:11 UTC
In a fresh F16, bug persists.
No configuration changes (just installed F16 in top of F15)
~/Private does not auto-mount.

(In reply to comment #19)
> b) boot, ctrl-alt-f2, log in as root and execute:
> setenforce 0
> 
> then selinux will run in permissive mode until next reboot.

The above again solves the problem, so it seems related to SELinux.

Additional info:
$ rpm -q selinux-policy ecryptfs-utils
selinux-policy-3.10.0-55.fc16.noarch
ecryptfs-utils-90-2.fc16.x86_64

Comment 59 Michal Hlavinka 2011-12-07 11:49:33 UTC
Bad bugzilla, bad! Because I had to cancel my changes, only short version follows:


This was a tracking bug for small change in ecryptfs-utils. Requested change should be in place, so I'm going to finally close this feature request.


Ling Li:
see mgrepl's answer here: https://bugzilla.redhat.com/show_bug.cgi?id=712048#c17

Yajo:
I hope it works now. If it still does not work, file a new bug against selinux-policy

Others:
I hope I did not forgot someone. This was tracking bug for feature change, but it accumulated a few reports about ~/Private not mounting, because of similar bug summary text. I have changed summary of this bug, so it does not collect future ~/Private problems reports. If you have problem with ~/Private, please file a new bug report. Thank you.

Comment 60 Yajo 2011-12-13 13:14:54 UTC
(In reply to comment #59)
> Yajo:
> I hope it works now. If it still does not work, file a new bug against
> selinux-policy

Thanks. FYI it's already done in bug #757691.