Bug 487088
Summary: | add ecryptfs pam module to config file in %post | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sachin Garg <ascii79> |
Component: | ecryptfs-utils | Assignee: | Michal Hlavinka <mhlavink> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | a1052087, esandeen, fdaluisio, inglessi, karsten, liling, mgrepl, mhlavink, pbonzini, yajo.sk8 |
Target Milestone: | --- | Keywords: | FutureFeature, Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ecryptfs-utils-93-2.fc17 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-07 11:49:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 486152 | ||
Bug Blocks: | 479319 |
Description
Sachin Garg
2009-02-24 03:03:45 UTC
after ecryptfs-setup-private you will *not* get auto-mounted ~/Private dir. e-s-private doesn't claim it will be mounted after login. Extract from ecryptfs-setup-private manpage: "The system administrator can add the pam_ecryptfs.so module to the PAM stack which will automatically use the login passphrase to unwrap the mount passphrase, add the passphrase to the user’s kernel keyring, and automatically perform the mount. See pam_ecryptfs(8)." (pam_ecryptfs documentation is missing/obsolete, see #479319 and #479727 ) You can use ecryptfs-mount-private (and ecryptfs-umount-private) or you can modify your pam configuration to do this (see #486152 and #479727) thnx it explain everything. This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Closing, not really a bug. please do not close bugs with blocks/depeneds on Is there anything to fix in ecryptfs-utils, besides the documentation? This seems more of a dup of 486152, and fixing that bug does not involve touching ecryptfs-utils at all. (In reply to comment #6) > Is there anything to fix in ecryptfs-utils, besides the documentation? yes. for example see summary of this bug > This > seems more of a dup of 486152, and fixing that bug does not involve touching > ecryptfs-utils at all. fixing that bug won't fix this one (see summary) With that patch in, the "add ecryptfs pam module" would become "add USEECRYPTFS=yes to /etc/sysconfig/authconfig". I don't see for example fprintd adding USEFPRINTD=yes, or sssd adding USESSSDAUTH=yes, so I believe this is NOTABUG or WONTFIX; the right way to do it is to make authconfig do that if the user so desires. modification of /etc/sysconfig/authconfig is not the only way how to turn it on/off yum remove fprintd-pam cat /etc/pam.d/system-auth ... auth sufficient fprintd.so ... is this correct behaviour? I don't think so, it should have (at least) called authconfig --disablefingerprint in postun. (In reply to comment #8) > With that patch in, the "add ecryptfs pam module" would become "add > USEECRYPTFS=yes to /etc/sysconfig/authconfig". I followed the instructions from http://fedoraproject.org/wiki/Features/EcryptfsAuthConfig which include adding that line you say, but ~/Private is not automounting. I'm running a fresh Fedora 15 install. I can provide more info if you need it. Thanks. Please check if you're hitting bug 706911. (In reply to comment #12) > Please check if you're hitting bug 706911. Thanks for the quick answer. I saw that bug before, but I overlooked it because the version I have installed is ecryptfs-utils-87-3.fc15, which is supposed to close that bug. Anyway I checked by replacing /etc/mstab with a copy of /proc/mounts and rebooting, but the problem persists. I guess you have ~/Private mount set up correctly, so ecryptfs-mount-private does work for you, right? Did you enable ecryptfs pam module? You need to run this as root: authconfig --enableecryptfs --updateall do not change /etc/sysconfig/authconfig it's just one required step, it's just "pre-config" for authconfig which modifies pam config files. Just enable ecryptfs using autconfig command above and it should work fine. (In reply to comment #14) > I guess you have ~/Private mount set up correctly, so ecryptfs-mount-private > does work for you, right? Right: $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [4f4809770febd99e] into the user session keyring (The login passphrase is the same as my account's password) > Did you enable ecryptfs pam module? You need to run this as root: > > authconfig --enableecryptfs --updateall > > do not change /etc/sysconfig/authconfig it's just one required step, it's just > "pre-config" for authconfig which modifies pam config files. Just enable > ecryptfs using autconfig command above and it should work fine. $ sudo authconfig --enableecryptfs --updateall Nota: Reenviando petición a 'systemctl disable sssd.service'. Then I rebooted and problem persists. Maybe this will help: $ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so What desktop are you using? KDE, Gnome (default), XFCE,...? What login manager? GDM (default), KDM,... ? Do you test it by logging in your desktop or in terminal or using ssh or...? What is output of (run as affected user, not root): ls -l ~/.ecryptfs What is output of (run as affected user after log in, *before* any ecryptfs commands - like ecryptfs-mount-private ): keyctl list @us What is content of /etc/pam.d/postlogin on your system? Did you make any modifications in pam config files? (in /etc/pam.d directory) (In reply to comment #16) > What desktop are you using? KDE, Gnome (default), XFCE,...? What login manager? > GDM (default), KDM,... ? Do you test it by logging in your desktop or in > terminal or using ssh or...? Gnome 3 and GDM. All default. > What is output of (run as affected user, not root): > > ls -l ~/.ecryptfs $ ls -l ~/.ecryptfs total 20 -rw-------. 1 jairot jairot 0 jul 4 22:57 auto-mount -rw-------. 1 jairot jairot 0 jul 4 22:57 auto-umount -rw-------. 1 jairot jairot 21 jul 4 22:57 Private.mnt -rw-------. 1 jairot jairot 34 jul 4 22:57 Private.sig -rw-------. 1 jairot jairot 34 jul 4 19:17 Private.sig.20110704225700 -r--------. 1 jairot jairot 48 jul 4 22:57 wrapped-passphrase -r--------. 1 jairot jairot 48 jul 4 19:17 wrapped-passphrase.20110704225700 > What is output of (run as affected user after log in, *before* any ecryptfs > commands - like ecryptfs-mount-private ): > > keyctl list @us $ keyctl list @us 1 key in keyring: 889759792: --alswrv 500 -1 keyring: _uid.500 The output is the same after ecryptfs-mount-private > What is content of /etc/pam.d/postlogin on your system? $ cat /etc/pam.d/postlogin #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth optional pam_ecryptfs.so unwrap password optional pam_ecryptfs.so unwrap session optional pam_ecryptfs.so unwrap > Did you make any modifications in pam config files? (in /etc/pam.d directory) Not. Also please give the output of grep postlogin -r --exclude '*.rpm*' /etc/pam.d It should be something like: /etc/pam.d/login:auth substack postlogin /etc/pam.d/login:session substack postlogin /etc/pam.d/gdm:auth include postlogin /etc/pam.d/gdm:session include postlogin /etc/pam.d/gdm-password:auth include postlogin /etc/pam.d/gdm-password:session include postlogin /etc/pam.d/passwd:password substack postlogin /etc/pam.d/remote:auth substack postlogin /etc/pam.d/remote:session substack postlogin /etc/pam.d/gdm-autologin:auth include postlogin /etc/pam.d/gdm-autologin:session include postlogin /etc/pam.d/gdm-fingerprint:auth include postlogin /etc/pam.d/gdm-fingerprint:session include postlogin (In reply to comment #18) > Also please give the output of > > grep postlogin -r --exclude '*.rpm*' /etc/pam.d You can check it, but it's not important. If keyctl output after login is not empty, pam module was executed. Chance that auth is executed, but session is not executed is really really small. > -r--------. 1 jairot jairot 48 jul 4 22:57 wrapped-passphrase > -r--------. 1 jairot jairot 48 jul 4 19:17 wrapped-passphrase.20110704225700 you have 2 wrapped-passphrase files, did you changed your passphrase recently? Or used "ecryptfs-setup-private --force" or did something else? It's not usual to have more versions. Anyway, everything looks ok, so we need another information. Log in and then get ecryptfs messages: tail -n 200 /var/log/messages | grep -E '(kernel|ecryptfs)' and tail -n 50 /var/log/secure Well, I've almost forgot... SELinux, try if it works with selinux in permissive mode: a) add "enforcing=0" as kernel argument in grub, OR b) boot, ctrl-alt-f2, log in as root and execute: setenforce 0 then selinux will run in permissive mode until next reboot. (In reply to comment #18) > Also please give the output of > > grep postlogin -r --exclude '*.rpm*' /etc/pam.d > > It should be something like: > > /etc/pam.d/login:auth substack postlogin > /etc/pam.d/login:session substack postlogin > /etc/pam.d/gdm:auth include postlogin > /etc/pam.d/gdm:session include postlogin > /etc/pam.d/gdm-password:auth include postlogin > /etc/pam.d/gdm-password:session include postlogin > /etc/pam.d/passwd:password substack postlogin > /etc/pam.d/remote:auth substack postlogin > /etc/pam.d/remote:session substack postlogin > /etc/pam.d/gdm-autologin:auth include postlogin > /etc/pam.d/gdm-autologin:session include postlogin > /etc/pam.d/gdm-fingerprint:auth include postlogin > /etc/pam.d/gdm-fingerprint:session include postlogin The output is slightly different from that: $ grep postlogin -r --exclude '*.rpm*' /etc/pam.d /etc/pam.d/remote:auth include postlogin /etc/pam.d/remote:session include postlogin /etc/pam.d/gdm:auth include postlogin /etc/pam.d/gdm:session include postlogin /etc/pam.d/login:auth include postlogin /etc/pam.d/login:session include postlogin /etc/pam.d/gdm-password:auth include postlogin /etc/pam.d/gdm-password:session include postlogin /etc/pam.d/gdm-fingerprint:auth include postlogin /etc/pam.d/gdm-fingerprint:session include postlogin /etc/pam.d/passwd:password substack postlogin /etc/pam.d/gdm-autologin:auth include postlogin /etc/pam.d/gdm-autologin:session include postlogin (In reply to comment #19) > > -r--------. 1 jairot jairot 48 jul 4 22:57 wrapped-passphrase > > -r--------. 1 jairot jairot 48 jul 4 19:17 wrapped-passphrase.20110704225700 > > you have 2 wrapped-passphrase files, did you changed your passphrase recently? > Or used "ecryptfs-setup-private --force" or did something else? It's not usual > to have more versions. Yes. At first I thought it was some misconfiguration, so I tried some of the ecryptfs options, which created those files, but the buggy behavior remains the same. I decided not to erase them until everything is working fine. > Anyway, everything looks ok, so we need another information. Log in and then > get ecryptfs messages: > > tail -n 200 /var/log/messages | grep -E '(kernel|ecryptfs)' > > and > > tail -n 50 /var/log/secure Commands run after ecryptfs-mount-private: $ sudo tail -n 200 /var/log/messages | grep -E '(kernel|ecryptfs)' Jul 9 13:01:48 dv6600 kernel: [ 30.140501] iwl3945 0000:02:00.0: loaded firmware version 15.32.2.9 Jul 9 13:01:48 dv6600 kernel: [ 30.221595] iwl3945 0000:02:00.0: Error setting Tx power (-5). Jul 9 13:01:48 dv6600 kernel: [ 30.230238] ADDRCONF(NETDEV_UP): wlan0: link is not ready Jul 9 13:01:48 dv6600 kernel: [ 30.281168] r8169 0000:08:00.0: eth0: link down Jul 9 13:01:48 dv6600 kernel: [ 30.282587] ADDRCONF(NETDEV_UP): eth0: link is not ready Jul 9 13:01:49 dv6600 kernel: [ 30.552666] ip6_tables: (C) 2000-2006 Netfilter Core Team Jul 9 13:01:50 dv6600 kernel: [ 31.684400] 802.1Q VLAN Support v1.8 Ben Greear <greearb> Jul 9 13:01:50 dv6600 kernel: [ 31.684404] All bugs added by David S. Miller <davem> Jul 9 13:01:53 dv6600 systemd[1]: Startup finished in 1s 184ms 457us (kernel) + 6s 783ms 771us (initrd) + 26s 389ms 769us (userspace) = 34s 357ms 997us. Jul 9 13:01:55 dv6600 kernel: [ 37.084139] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/I�gc/4 Jul 9 13:02:15 dv6600 kernel: [ 57.092385] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready Jul 9 13:02:16 dv6600 pam: gdm-password[1294]: Error attempting to open [/home/jairot/.ecryptfs/wrapped-passphrase] for reading Jul 9 13:02:16 dv6600 pam: gdm-password[1294]: Error attempting to unwrap passphrase from file [/home/jairot/.ecryptfs/wrapped-passphrase]; rc = [-5] Jul 9 13:02:17 dv6600 kernel: [ 59.129435] fuse init (API version 7.16) Jul 9 13:06:07 dv6600 kernel: [ 288.877794] cfg80211: Calling CRDA to update world regulatory domain Jul 9 13:06:07 dv6600 kernel: [ 288.932163] cfg80211: World regulatory domain updated: Jul 9 13:06:07 dv6600 kernel: [ 288.932168] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) Jul 9 13:06:07 dv6600 kernel: [ 288.932173] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.932178] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.932182] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.932186] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.932190] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.932209] cfg80211: Calling CRDA for country: ES Jul 9 13:06:07 dv6600 kernel: [ 288.938235] cfg80211: Regulatory domain changed to country: ES Jul 9 13:06:07 dv6600 kernel: [ 288.938240] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) Jul 9 13:06:07 dv6600 kernel: [ 288.938244] cfg80211: (2402000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.938248] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (N/A, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.938252] cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (N/A, 2000 mBm) Jul 9 13:06:07 dv6600 kernel: [ 288.938256] cfg80211: (5490000 KHz - 5710000 KHz @ 40000 KHz), (N/A, 2700 mBm) $ sudo tail -n 50 /var/log/secure Jul 8 14:57:12 dv6600 runuser: pam_unix(runuser:session): session closed for user root Jul 8 14:57:17 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 8 14:57:23 dv6600 pam: gdm-password[1272]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Jul 8 14:57:23 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 8 14:57:38 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Jul 8 14:57:42 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 14:57:42 dv6600 pkexec[1632]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3] Jul 8 14:57:48 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 14:57:48 dv6600 pkexec[1736]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10] Jul 8 15:11:34 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 15:11:34 dv6600 pkexec[2251]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3] Jul 8 15:11:40 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 15:11:40 dv6600 pkexec[2258]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10] Jul 8 15:15:57 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 15:15:57 dv6600 pkexec[3427]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3] Jul 8 15:16:05 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 15:16:05 dv6600 pkexec[3430]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10] Jul 8 15:32:51 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 15:32:51 dv6600 pkexec[3824]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 3] Jul 8 15:33:00 dv6600 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=500) Jul 8 15:33:00 dv6600 pkexec[3831]: jairot: Executing command [USER=root] [TTY=unknown] [CWD=/home/jairot] [COMMAND=/usr/sbin/gnome-power-backlight-helper --set-brightness 10] Jul 9 11:59:59 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Jul 9 11:59:59 dv6600 runuser: pam_unix(runuser:session): session closed for user root Jul 9 12:00:28 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.27 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 9 12:00:35 dv6600 pam: gdm-password[1367]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Jul 9 12:00:35 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.27, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 9 12:00:50 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.65 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Jul 9 12:10:02 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Jul 9 12:10:03 dv6600 runuser: pam_unix(runuser:session): session closed for user root Jul 9 12:10:09 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 9 12:10:16 dv6600 pam: gdm-password[1271]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Jul 9 12:10:16 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 9 12:10:31 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Jul 9 12:23:58 dv6600 pam: gdm-password[1271]: pam_unix(gdm-password:session): session closed for user jairot Jul 9 12:29:07 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Jul 9 12:29:08 dv6600 runuser: pam_unix(runuser:session): session closed for user root Jul 9 12:29:13 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 9 12:29:19 dv6600 pam: gdm-password[1296]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Jul 9 12:29:20 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 9 12:29:35 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Jul 9 13:01:50 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Jul 9 13:01:50 dv6600 runuser: pam_unix(runuser:session): session closed for user root Jul 9 13:01:55 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 9 13:02:16 dv6600 pam: gdm-password[1272]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Jul 9 13:02:17 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.23, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 9 13:02:32 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.63 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Jul 9 13:05:02 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 200 /var/log/messages Jul 9 13:05:43 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 50 /var/log/secure Jul 9 13:06:07 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 200 /var/log/messages Jul 9 13:06:09 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 50 /var/log/secure > Well, I've almost forgot... SELinux, try if it works with selinux in permissive > mode: > a) add "enforcing=0" as kernel argument in grub, > OR > b) boot, ctrl-alt-f2, log in as root and execute: > setenforce 0 > > then selinux will run in permissive mode until next reboot. I chose option B and... It worked! Starting session auto-mounted ~/Private, but SELinux gave me this alert: SELinux is preventing /usr/libexec/gdm-session-worker from getattr access on the archivo /home/jairot/.ecryptfs/auto-mount. ***** Sugerencia de complemento restorecon (82.4 confidence) *************** Siyou want to fix the label. /home/jairot/.ecryptfs/auto-mount default label should be user_home_t. Entoncesyou can run restorecon. Hacer # /sbin/restorecon -v /home/jairot/.ecryptfs/auto-mount ***** Sugerencia de complemento file (7.05 confidence) ********************* Siyou think this is caused by a badly mislabeled machine. Entoncesyou need to fully relabel. Hacer touch /.autorelabel; reboot ***** Sugerencia de complemento file (7.05 confidence) ********************* Siyou think this is caused by a badly mislabeled machine. Entoncesyou need to fully relabel. Hacer touch /.autorelabel; reboot ***** Sugerencia de complemento catchall_labels (4.59 confidence) ********** Sidesea permitir que gdm-session-worker tenga getattr acceso al auto-mount file Entoncesyou need to change the label on /home/jairot/.ecryptfs/auto-mount Hacer # semanage fcontext -a -t FILE_TYPE '/home/jairot/.ecryptfs/auto-mount' where FILE_TYPE is one of the following: selinux_config_t, bin_t, cert_t, lib_t, usr_t, var_t, wtmp_t, xserver_exec_t, default_context_t, pam_console_exec_t, sosreport_tmp_t, hwdata_t, locale_t, sssd_public_t, var_auth_t, rpm_tmp_t, etc_t, fonts_t, dbusd_exec_t, user_fonts_t, user_tmpfs_t, proc_t, logfile, sysfs_t, xdm_t, ld_so_cache_t, loadkeys_exec_t, krb5_keytab_t, xdm_dbusd_t, xdm_spool_t, fonts_cache_t, system_cronjob_var_lib_t, ssh_agent_exec_t, plymouthd_var_log_t, policykit_var_lib_t, crack_db_t, user_tmp_t, ssh_home_t, xserver_tmpfs_t, krb5_conf_t, iceauth_home_t, plymouth_exec_t, xauth_exec_t, xauth_home_t, auth_cache_t, alsa_etc_rw_t, xdm_tmpfs_t, user_cron_spool_t, sysctl_dev_t, sysctl_net_t, rpm_exec_t, admin_home_t, security_t, pulseaudio_exec_t, mount_exec_t, gconf_etc_t, shell_exec_t, consolekit_log_t, pam_exec_t, krb5_home_t, proc_afs_t, oddjob_mkhomedir_exec_t, xserver_log_t, dbusd_etc_t, abrt_var_run_t, var_lib_t, user_home_t, updpwd_exec_t, xdm_tmp_t, userdomain, xserver_t, fusermount_exec_t, configfile, domain, rpm_var_cache_t, faillog_t, logfile, lastlog_t, sysctl_crypto_t, proc_net_t, var_log_t, chkpwd_exec_t, policykit_reload_t, xdm_etc_t, xdm_log_t, gnome_home_type, user_tmp_t, hostname_exec_t, samba_var_t, initrc_var_run_t, gkeyringd_exec_t, pam_var_run_t, rpm_var_lib_t, xdm_var_lib_t, xdm_var_run_t, net_conf_t, abrt_t, init_exec_t, lib_t, etc_runtime_t, anon_inodefs_t, gconf_home_t, openct_var_run_t, sysctl_kernel_t, config_usr_t, abrt_helper_exec_t, pcscd_var_run_t, udev_var_run_t, alsa_exec_t, xkb_var_lib_t, shutdown_exec_t, consoletype_exec_t, user_home_t, xdm_rw_etc_t, ld_so_t, accountsd_var_lib_t, xdm_exec_t, xdm_home_t, xdm_lock_t, pam_var_console_t, textrel_shlib_t, system_dbusd_var_lib_t, policykit_auth_exec_t, cgroup_t, rpm_script_tmp_t, krb5_host_rcache_t, cert_t, init_t, security_t, systemd_systemctl_exec_t, net_conf_t, file_context_t, xsession_exec_t, shell_exec_t. Then execute: restorecon -v '/home/jairot/.ecryptfs/auto-mount' ***** Sugerencia de complemento catchall (1.31 confidence) ***************** Siyou believe that gdm-session-worker should be allowed getattr access on the auto-mount file by default. Entoncesyou should report this as a bug. You can generate a local policy module to allow this access. Hacer allow this access for now by executing: # grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Contexto Fuente system_u:system_r:xdm_t:s0-s0:c0.c1023 Contexto Destino unconfined_u:object_r:file_t:s0 Objetos Destino /home/jairot/.ecryptfs/auto-mount [ file ] Fuente gdm-session-wor Dirección de Fuente /usr/libexec/gdm-session-worker Puerto <Desconocido> Nombre de Equipo dv6600.casa Paquetes RPM Fuentes gdm-3.0.4-1.fc15 Paquetes RPM Destinos RPM de Políticas selinux-policy-3.9.16-30.fc15 SELinux Activado True Tipo de Política targeted Modo Obediente Permissive Nombre de Equipo dv6600.casa Plataforma Linux dv6600.casa 2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05 UTC 2011 x86_64 x86_64 Cantidad de Alertas 3 Visto por Primera Vez sáb 09 jul 2011 13:10:29 CEST Visto por Última Vez sáb 09 jul 2011 13:10:34 CEST ID Local e928a8d2-af20-4560-b57c-959986c7e7cb Mensajes de Auditoría Crudos type=AVC msg=audit(1310209834.515:63): avc: denied { getattr } for pid=1368 comm="gdm-session-wor" path="/home/jairot/.ecryptfs/auto-mount" dev=sda7 ino=3015342 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file type=SYSCALL msg=audit(1310209834.515:63): arch=x86_64 syscall=stat success=yes exit=0 a0=1f7e390 a1=7fffe0e8b4c0 a2=7fffe0e8b4c0 a3=6564726f6365722e items=0 ppid=1276 pid=1368 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=2 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gdm-session-wor,xdm_t,file_t,file,getattr audit2allow #============= xdm_t ============== allow xdm_t file_t:file getattr; audit2allow -R #============= xdm_t ============== allow xdm_t file_t:file getattr; > > Well, I've almost forgot... SELinux, try if it works with selinux in permissive
> > mode:
> > a) add "enforcing=0" as kernel argument in grub,
> > OR
> > b) boot, ctrl-alt-f2, log in as root and execute:
> > setenforce 0
> >
> > then selinux will run in permissive mode until next reboot.
>
> I chose option B and... It worked!
> Starting session auto-mounted ~/Private, but SELinux gave me this alert:
>
ok, so let's get attention from SELinux team, ccing mgrepl
Today I installed the nVidia drivers from rpmfusion and made a kernel rebuild with this: yum install kmod-nvidia new-kernel-pkg --mkinitrd --dracut --update $(rpm -q --queryformat="%{version}-%{release}.%{arch}\n" kernel | tail -n 1) Unexpectedly I noticed that just after doing this and rebooting, ~/Private automounts perfectly. I don't fully understand why this now works, I was only following the instructions in http://www.fedorafaq.org/#nvidia. I think I broke something by that new-kernel-pkg command, as after an upgrade I wasn't able to start graphic mode. I reinstalled F15, and kmod-nvidia without the new-kernel-pkg stuff and now the system works, but now ecryptfs' bug is present again. does it still work if you try selinux permissive mode? (In reply to comment #24) > does it still work if you try selinux permissive mode? Not this time. This is weird. Now it's even worse: the first time I mount it, it mounts badly. See this terminal session just after login, running in permissive mode: $ ls ~/Private/ # At startup it is not mounted Access-Your-Private-Data.desktop README.txt $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [4f4809770febd99e] into the user session keyring $ ls ~/Private/ # After 1st mount, wrong files appear ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g..iE1EwEwXDMubyWsWfxR---- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR--- ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2- $ ecryptfs-umount-private $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [4f4809770febd99e] into the user session keyring $ ls ~/Private/ # After 2nd mount, good files appear private-file-1 private-file-2 any updates on this? right, I've located several issues and fixed them, so please test ecryptfs-utils-87-7.fc15: sudo yum update --enablerepo=updates-testing ecryptfs-utils if it works for you. It's possible some selinux fixes are required too, so if it does not work, try it with selinux in permissive mode and attach output of sudo tail -n 50 /var/log/secure thanks (In reply to comment #27) > right, I've located several issues and fixed them, so please test > ecryptfs-utils-87-7.fc15: > > sudo yum update --enablerepo=updates-testing ecryptfs-utils I updated it, but the problem persists. > if it works for you. It's possible some selinux fixes are required too, so if > it does not work, try it with selinux in permissive mode and attach output of > > sudo tail -n 50 /var/log/secure > > thanks It does not work, but anyway: $ sudo tail -n 50 /var/log/secure Jul 31 11:48:53 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.70, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) (disconnected from bus) Jul 31 11:49:06 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.108 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 31 11:50:39 dv6600 pam: gdm-password[13593]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Jul 31 11:50:39 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.108, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 31 11:50:52 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session4 (system bus name :1.139 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Jul 31 19:34:51 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Jul 31 19:34:51 dv6600 runuser: pam_unix(runuser:session): session closed for user root Jul 31 19:34:57 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 31 19:35:13 dv6600 pam: gdm-password[1270]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Jul 31 19:35:14 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 31 19:35:30 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.68 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Jul 31 20:38:25 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/semanage fcontext -a -t SIMILAR_TYPE nvidiactl Jul 31 20:38:40 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/sbin/restorecon -v nvidiactl Jul 31 20:39:42 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/setsebool -P wine_mmap_zero_ignore 1 Aug 2 18:07:13 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.68, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) (disconnected from bus) Aug 2 18:07:16 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.199 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Aug 2 18:55:50 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/yum update --enablerepo=updates-testing ecryptfs-utils Aug 2 18:58:13 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Aug 2 18:58:13 dv6600 runuser: pam_unix(runuser:session): session closed for user root Aug 2 18:58:18 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Aug 2 18:58:23 dv6600 pam: gdm-password[1296]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Aug 2 18:58:23 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Aug 2 18:58:38 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.66 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Aug 2 18:59:09 dv6600 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Aug 2 18:59:09 dv6600 login: ROOT LOGIN ON tty2 Aug 2 18:59:15 dv6600 login: pam_unix(login:session): session closed for user root Aug 2 19:00:29 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Aug 2 19:00:29 dv6600 runuser: pam_unix(runuser:session): session closed for user root Aug 2 19:00:34 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Aug 2 19:00:38 dv6600 pam: gdm-password[1300]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Aug 2 19:00:38 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Aug 2 19:00:54 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.66 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Aug 2 19:02:07 dv6600 runuser: pam_unix(runuser:session): session opened for user root by (uid=0) Aug 2 19:02:07 dv6600 runuser: pam_unix(runuser:session): session closed for user root Aug 2 19:02:14 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Aug 2 19:02:22 dv6600 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Aug 2 19:02:22 dv6600 login: ROOT LOGIN ON tty2 Aug 2 19:02:25 dv6600 login: pam_unix(login:session): session closed for user root Aug 2 19:02:31 dv6600 pam: gdm-password[1287]: pam_unix(gdm-password:session): session opened for user jairot by (uid=0) Aug 2 19:02:31 dv6600 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Aug 2 19:02:47 dv6600 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.71 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.utf8) Aug 2 19:05:14 dv6600 sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/tail -n 50 /var/log/secure that's odd, I don't see any ecryptfs message in the log, so ecryptfs pam modules is not used in your case. Do you still have ecryptfs in postlogin as you had in comment #17? Do you have ecryptfs-utils-87-7.fc15 ? ( rpm -q ecryptfs-utils will tell you) Do you use normal password for log in or something special? Like fingerprint reader,... ? Please test if it works in terminal - after logging in as root and switching selinux to permisive mode, switch to another terminal (alt-f3 for example) and try to log in as normal user. and one small change - use ecryptfs-utils-87-8.fc15, last version contains one fix you need, but it also contains some regression(works only for ssh login : ssh <user>@localhost , but it still does not explain why there are no ecryptfs messages in secure log). So -87-8.fc15 is needed. This version is not in the updates-testing repository (yet), but you can update ecryptfs-utils using: yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/8.fc15/x86_64/ecryptfs-utils-87-8.fc15.x86_64.rpm Before anything, sorry for delaying, I had to reinstall Fedora and did not have the computer available for awhile. (In reply to comment #30) > -87-8.fc15 is needed. This version is not in the > updates-testing repository (yet), but you can update ecryptfs-utils using: > > yum localupdate --nogpgcheck > http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/8.fc15/x86_64/ecryptfs-utils-87-8.fc15.x86_64.rpm Done. (In reply to comment #29) > that's odd, I don't see any ecryptfs message in the log, so ecryptfs pam > modules is not used in your case. Do you still have ecryptfs in postlogin as > you had in comment #17? Oops I did not. After reinstalling I forgot to do the authconfig stuff. So, I did: $ authconfig --enableecryptfs --updateall $ cat /etc/pam.d/postlogin #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth optional pam_ecryptfs.so unwrap password optional pam_ecryptfs.so unwrap session optional pam_ecryptfs.so unwrap $ sudo reboot After rebooting, bug persists. > Do you have ecryptfs-utils-87-7.fc15 ? ( rpm -q > ecryptfs-utils will tell you) $ rpm -q ecryptfs-utils ecryptfs-utils-87-8.fc15.x86_64 > Do you use normal password for log in or > something special? Like fingerprint reader,... ? Normal password. And it is the same that I use as wrapper for ecryptfs (I don't know if it matters). > Please test if it works in > terminal - after logging in as root and switching selinux to permisive mode, > switch to another terminal (alt-f3 for example) and try to log in as normal > user. I did that and bug persists also. BTW, after doing authconfig --enableecryptfs --updateall, seems like now there is something helpful in the log: $ sudo cat /var/log/secure | grep ecryptfs Aug 7 08:05:58 hpfedora sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/usermod -aG ecryptfs jairot Aug 7 08:05:58 hpfedora usermod[2113]: add 'jairot' to group 'ecryptfs' Aug 7 08:05:58 hpfedora usermod[2113]: add 'jairot' to shadow group 'ecryptfs' Aug 7 11:10:33 hpfedora sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/bin/yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/8.fc15/x86_64/ecryptfs-utils-87-8.fc15.x86_64.rpm Aug 7 11:23:23 hpfedora sudo: jairot : TTY=pts/0 ; PWD=/home/jairot ; USER=root ; COMMAND=/usr/sbin/authconfig --enableecryptfs --updateall Aug 7 11:31:55 hpfedora login: Unable to get ecryptfs pam data : No such file or directory Aug 7 11:32:06 hpfedora login: Incorrect wrapping key for file [/home/jairot/.ecryptfs/wrapped-passphrase] Aug 7 11:32:06 hpfedora login: Error attempting to unwrap passphrase from file [/home/jairot/.ecryptfs/wrapped-passphrase]; rc = [-5] I hope it helps. Thanks for all. OK, I've found and fixed two bugs: > $ sudo cat /var/log/secure | grep ecryptfs this does not work correctly, because "ecryptfs" was not present in all error messages, but I've changed it and all messages are now prefixed with "ecryptfs:" so you can use grep now > Aug 7 11:31:55 hpfedora login: Unable to get ecryptfs pam data : No such file or directory this should not happen (and error messages is wrong). It should work now, or at least improved error messages should tell us what's wrong > Aug 7 11:32:06 hpfedora login: Incorrect wrapping key for file [/home/jairot/.ecryptfs/wrapped-passphrase] > Aug 7 11:32:06 hpfedora login: Error attempting to unwrap passphrase from file [/home/jairot/.ecryptfs/wrapped-passphrase]; rc = [-5] there was some problem with passphrase survival between auth and session pam calls, it's fixed now please this version: yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm thanks (In reply to comment #32) > there was some problem with passphrase survival between auth and session pam > calls, it's fixed now > > please this version: > > yum localupdate --nogpgcheck > http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm > > thanks I did that, rebooted, and now it works perfectly. Good work, thanks a lot. Sorry to bother you again with this. Seems like this issue is not solved at 100%. If automount is turned on, works fine, but if I turn it off, reboot and try to mount it manually with ecryptfs-mount-private, I have exactly the same issue as in comment #25. I tried in permissive mode and it does the same. I've tried to reproduce it, but it's working for me. Do you have any ecryptfs messages in /var/log/messages ? What is output of mount | grep ecryptfs and keyctl show after ecryptfs-mount-private? Does it work after second mount like in comment #25? If it works, what is output of mount and keyctl this time? (In reply to comment #35) > I've tried to reproduce it, but it's working for me. > Do you have any ecryptfs messages in /var/log/messages ? > > What is output of > > mount | grep ecryptfs > and > keyctl show > > after ecryptfs-mount-private? $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [4f4809770febd99e] into the user session keyring $ ls Private/ ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR--- ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2- $ mount | grep ecryptfs /home/jairot/.Private on /home/jairot/Private type ecryptfs (rw,relatime,ecryptfs_sig=4f4809770febd99e,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs) $ keyctl show Session Keyring -3 --alswrv 500 500 keyring: _ses 738559970 --alswrv 500 -1 \_ keyring: _uid.500 508586078 --alswrv 500 500 \_ user: 4f4809770febd99e > Does it work after second mount like in comment #25? If it works, what is > output of mount and keyctl this time? It does. Continuing previous console session: $ ecryptfs-umount-private $ ls Private/ Access-Your-Private-Data.desktop README.txt $ mount | grep ecryptfs $ keyctl show Session Keyring -3 --alswrv 500 500 keyring: _ses 738559970 --alswrv 500 -1 \_ keyring: _uid.500 $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [4f4809770febd99e] into the user session keyring $ ls Private/ private-file-1 private-file-2 $ mount | grep ecryptfs /home/jairot/.Private on /home/jairot/Private type ecryptfs (rw,relatime,ecryptfs_fnek_sig=b43e2e813afe7c23,ecryptfs_sig=4f4809770febd99e,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs) $ keyctl show Session Keyring -3 --alswrv 500 500 keyring: _ses 738559970 --alswrv 500 -1 \_ keyring: _uid.500 983281705 --alswrv 500 500 \_ user: b43e2e813afe7c23 271662912 --alswrv 500 500 \_ user: 4f4809770febd99e Doing `cat /var/log/secure | grep ecryptfs` brings out nothing... Thanks. So your keyring after first attempt contains only file encryption key, but file name encryption key is missing. Please paste what you get when running:
bash -x /usr/bin/ecryptfs-mount-private
instead of just ecryptfs-mount-private
also what is content of your ~/.ecryptfs/Private.sig ?
> Doing `cat /var/log/secure | grep ecryptfs` brings out nothing...
/var/log/secure is used only for pam automount, standard log is /var/log/messages
PS:be sure to have latest version from updates-testing repository (ecryptfs-utils-90-1.fc15), there are some fixes in ecryptfs-mount-private. They are probably not related to your problem. It's just so I can compare your output with the expected one from the same version.
The proposed fix has a dependency problem with glibc, it wants glibc_2.14 where RHEL 6.x type os is glibc_2.12 based. Is this fix only available in Fedora? (automount also fails here while manual mount works fine) (In reply to comment #32) > please this version: > > yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm > > thanks I tried the commands below. One is not supposed to install Fedora RPMs on RHEL based OS, but I didn't know any onther way. rpm --force --nodeps -Uvh http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-2.14-5.x86_64.rpm http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-common-2.14-5.x86_64.rpm yum localupdate --nogpgcheck http://kojipkgs.fedoraproject.org/packages/ecryptfs-utils/87/9.fc15/x86_64/ecryptfs-utils-87-9.fc15.x86_64.rpm authconfig --enableecryptfs --updateall Something DID change, as authconfig no longer outputs: "authconfig.py: error: no such option: --enableecryptfs" But my privates are still not automounted when I enter my session. There is still no pam_ecryptfs.so in /etc/pam.d/system-auth but there is something: # grep -iH ecryptfs /etc/pam.d/* /etc/pam.d/postlogin-ac:auth optional pam_ecryptfs.so unwrap /etc/pam.d/postlogin-ac:password optional pam_ecryptfs.so unwrap /etc/pam.d/postlogin-ac:session optional pam_ecryptfs.so unwrap So here is some more interesting fiddling around after logging in, I hope someone can give me some pointers on making this work. $ mount | grep ecryptfs (nothing) $ keyctl list @us 1 key in keyring: 973882876: --alswrv 500 -1 keyring: _uid.500 $ keyctl read 973882876 No data in key $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [blah] into the user session keyring $ mount | grep ecryptfs /home/user/.Private on /home/user/Private type ecryptfs (blahblah) $ keyctl read 973882876 8 bytes of data in key: 00f91321 c5080815 (In reply to comment #38) > The proposed fix has a dependency problem with glibc, it wants glibc_2.14 where > RHEL 6.x type os is glibc_2.12 based. Is this fix only available in Fedora? yes If you want this fix in RHEL6 you have to file a new feature request (bug): 1. for authconfig and 2. for ecryptfs-utils > rpm --force --nodeps -Uvh > http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-2.14-5.x86_64.rpm > http://download.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/glibc-common-2.14-5.x86_64.rpm this will break your system. You can't use Fedora packages in RHEL (In reply to comment #37) I hope the following helps. > PS:be sure to have latest version from updates-testing repository > (ecryptfs-utils-90-1.fc15), there are some fixes in ecryptfs-mount-private. > They are probably not related to your problem. It's just so I can compare your > output with the expected one from the same version. I had an older version. Now it is updated. $ rpm -q ecryptfs-utils ecryptfs-utils-90-1.fc15.x86_64 > Thanks. So your keyring after first attempt contains only file encryption key, > but file name encryption key is missing. Please paste what you get when > running: > > bash -x /usr/bin/ecryptfs-mount-private > > instead of just ecryptfs-mount-private 15:51:51 jairot@hpfedora ~ $ bash -x /usr/bin/ecryptfs-mount-private + PRIVATE_DIR=Private + WRAPPING_PASS=LOGIN + PW_ATTEMPTS=3 + TEXTDOMAIN=ecryptfs-utils ++ gettext 'Enter your login passphrase:' + MESSAGE='Enter your login passphrase:' + '[' -f /home/jairot/.ecryptfs/wrapping-independent ']' + WRAPPED_PASSPHRASE_FILE=/home/jairot/.ecryptfs/wrapped-passphrase + MOUNT_PASSPHRASE_SIG_FILE=/home/jairot/.ecryptfs/Private.sig + /sbin/mount.ecryptfs_private + '[' -f /home/jairot/.ecryptfs/wrapped-passphrase -a -f /home/jairot/.ecryptfs/Private.sig ']' + tries=0 ++ stty -g + stty_orig=6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 + '[' 0 -lt 3 ']' + echo -n 'Enter your login passphrase:' Enter your login passphrase:+ stty -echo ++ head -n1 + LOGINPASS=****** + stty 6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 + echo ++ wc -l + '[' 2 = 1 ']' + printf '%s\0' ****** + ecryptfs-insert-wrapped-passphrase-into-keyring /home/jairot/.ecryptfs/wrapped-passphrase - Inserted auth tok with sig [4f4809770febd99e] into the user session keyring + break + '[' 0 -ge 3 ']' + /sbin/mount.ecryptfs_private + grep -qs '/home/jairot/.Private /home/jairot ecryptfs ' /proc/mounts + exit 0 15:54:39 jairot@hpfedora ~ $ ls Private/ ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR--- ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2- 15:55:04 jairot@hpfedora ~ $ bash -x /usr/bin/ecryptfs-umount-private + TEXTDOMAIN=ecryptfs-utils + grep -qs '/home/jairot/.Private /home/jairot ecryptfs ' /proc/mounts + /sbin/umount.ecryptfs_private ++ cat /home/jairot/.ecryptfs/Private.sig + for sig in '`cat "$HOME/.ecryptfs/Private.sig"`' ++ keyctl list @u ++ grep '4f4809770febd99e$' ++ awk -F: '{print $1}' + for sig in '`cat "$HOME/.ecryptfs/Private.sig"`' ++ awk -F: '{print $1}' ++ grep 'b43e2e813afe7c23$' ++ keyctl list @u + '[' '' = 1 ']' 15:55:11 jairot@hpfedora ~ $ bash -x /usr/bin/ecryptfs-mount-private + PRIVATE_DIR=Private + WRAPPING_PASS=LOGIN + PW_ATTEMPTS=3 + TEXTDOMAIN=ecryptfs-utils ++ gettext 'Enter your login passphrase:' + MESSAGE='Enter your login passphrase:' + '[' -f /home/jairot/.ecryptfs/wrapping-independent ']' + WRAPPED_PASSPHRASE_FILE=/home/jairot/.ecryptfs/wrapped-passphrase + MOUNT_PASSPHRASE_SIG_FILE=/home/jairot/.ecryptfs/Private.sig + /sbin/mount.ecryptfs_private + '[' -f /home/jairot/.ecryptfs/wrapped-passphrase -a -f /home/jairot/.ecryptfs/Private.sig ']' + tries=0 ++ stty -g + stty_orig=6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 + '[' 0 -lt 3 ']' + echo -n 'Enter your login passphrase:' Enter your login passphrase:+ stty -echo ++ head -n1 + LOGINPASS=****** + stty 6d02:5:4bf:8a3b:3:1c:7f:15:4:0:1:ff:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 + echo ++ wc -l + '[' 2 = 1 ']' + printf '%s\0' ****** + ecryptfs-insert-wrapped-passphrase-into-keyring /home/jairot/.ecryptfs/wrapped-passphrase - Inserted auth tok with sig [4f4809770febd99e] into the user session keyring + break + '[' 0 -ge 3 ']' + /sbin/mount.ecryptfs_private + grep -qs '/home/jairot/.Private /home/jairot ecryptfs ' /proc/mounts + exit 0 15:55:18 jairot@hpfedora ~ $ ls Private/ private-file-1 private-file-2 > also what is content of your ~/.ecryptfs/Private.sig ? $ cat ~/.ecryptfs/Private.sig 4f4809770febd99e b43e2e813afe7c23 > > Doing `cat /var/log/secure | grep ecryptfs` brings out nothing... > > /var/log/secure is used only for pam automount, standard log is > /var/log/messages 16:01:14 jairot@hpfedora ~ $ sudo cat /var/log/messages | grep ecryptfs Aug 22 15:15:00 hpfedora pam: gdm-fingerprint[1293]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module Aug 22 15:15:00 hpfedora pam: gdm-fingerprint[1293]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [jairot] Aug 22 15:15:02 hpfedora pam: gdm-password[1292]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module Aug 22 15:15:02 hpfedora pam: gdm-password[1292]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [jairot] Aug 22 15:15:03 hpfedora pam: gdm-password[1292]: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present Aug 22 15:15:03 hpfedora pam: gdm-password[1308]: ecryptfs: private_dir: Skipping automatic eCryptfs mount Aug 22 15:51:49 hpfedora yum[16273]: Updated: ecryptfs-utils-90-1.fc15.x86_64 Aug 22 15:54:39 hpfedora kernel: [ 2418.236517] ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid] Aug 22 15:55:18 hpfedora kernel: [ 2457.249033] ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid] Ok, I have first guess what's going on here. Before first ecryptfs-mount-private (using bash -x is no longer needed) you probably do not have ecryptfs module loaded. Check this with this command, it should return nothing: lsmod | grep ecryptfs still before ecryptfs-mount-private, load ecryptfs module: mount.ecryptfs_private --loadmodule then try to mount it with ecryptfs-mount-private. Does it work? (In reply to comment #42) > Ok, I have first guess what's going on here. Before first > ecryptfs-mount-private (using bash -x is no longer needed) you probably do not > have ecryptfs module loaded. Check this with this command, it should return > nothing: > > lsmod | grep ecryptfs True. > still before ecryptfs-mount-private, load ecryptfs module: > > mount.ecryptfs_private --loadmodule > > then try to mount it with ecryptfs-mount-private. Does it work? Yes! it should be fixed in ecryptfs-utils-90-2.fc15 (in updates-testing repository) (In reply to comment #44) > it should be fixed in ecryptfs-utils-90-2.fc15 (in updates-testing repository) It works! This is now quite a long thread, and I am hoping that someone can summarize how to make this work. I installed Fedora 15 on my Thinkpad Edge today. * Fedora 15 contains ecryptfs-utils-90-2.fc15 from the updates repo after installing ecryptfs-utils * ecryptfs-setup-private works * ecryptfs-mount-private works * automount on login (automated through PAM) does not work, so * privatizing .config dirs and symlinking to Private fails * auto-umount on logout does not work either, but maybe that only works when Private was automatically mounted in the first place. Not through ecryptfs-mount-private. * Also, after doing this on a brand new installation, I was not sudoer anymore. I used to. (??) > * automount on login (automated through PAM) does not work, so
> * privatizing .config dirs and symlinking to Private fails
Sorry for asking the obvious, but: did you set this up via "authconfig --enableecryptfs --updateall" as root?
@Paolo Bonzini: No. *blush* As you can see in reply #39, I was aware of this, but I plain old stupid forgot. I will try this out soon, but I am sure it will work. Anyway, to bring something relevant to the table, the man page for ecryptfs-setup-private mentions the flag -a --all-home, but it is not supported. Fresh new F15 and up-to-date installation (to day is my Fedora Day! yeah), # tail -n10 /var/log/messages Oct 24 15:31:04 dotto pam: gdm-fingerprint[5278]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module Oct 24 15:31:04 dotto pam: gdm-fingerprint[5278]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [fdaluisio] Oct 24 15:31:04 dotto gdm[5293]: ******************* START ********************************** Oct 24 15:31:04 dotto gdm[5293]: ******************* END ********************************** Oct 24 15:31:06 dotto pam: gdm-password[5277]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module Oct 24 15:31:06 dotto pam: gdm-password[5277]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: username = [fdaluisio] Oct 24 15:31:06 dotto pam: gdm-password[5302]: ecryptfs: fill_keyring: Passphrase file wrapped Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to open [/home/fdaluisio/.ecryptfs/wrapped-passphrase] for reading Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to unwrap passphrase from file [/home/fdaluisio/.ecryptfs/wrapped-passphrase]; rc = [-5] Oct 24 15:31:07 dotto pam: gdm-password[5302]: ecryptfs: fill_keyring: Error adding passphrase key token to user session keyring; rc = [-5] Oct 24 15:31:07 dotto pam: gdm-password[5309]: WARNING: unable to log session # rpm -qa "ecrypfs*" ecryptfs-utils-90-2.fc15.i686 # rpm -qa "glibc*" glibc-common-2.14-5.i686 glibc-2.14-5.i686 NOTE: fdaluisio is in ecryptfs group, ecryptfs-mount-private e ecryptfs-umount-private via bash after login unwrap keys and mount Private directory but auto-mount at login not mount Private USEECRYPTFS=yes in /etc/sysconfig/authconfig is OK and --updateall from root is done [root@dotto pam.d]# grep ecryptfs * postlogin:auth optional pam_ecryptfs.so unwrap postlogin:password optional pam_ecryptfs.so unwrap postlogin:session optional pam_ecryptfs.so unwrap postlogin-ac:auth optional pam_ecryptfs.so unwrap postlogin-ac:password optional pam_ecryptfs.so unwrap postlogin-ac:session optional pam_ecryptfs.so unwrap Trouble with gdm-password? Fedora 16 beta, after successfully doing authconfig --enableecryptfs --updateall usermod -G ecryptfs <user> ecryptfs-migrate-home -u <user> the login still fails to mount Private, due to SELinux preventing /bin/login to access files in /home/.ecryptfs/<user>/.ecryptfs. Below is one of the details from sealert: SELinux is preventing /bin/login from 'read' accesses on the file wrapped-passphrase. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that login should be allowed read access on the wrapped-passphrase file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep login /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Context system_u:object_r:user_home_t:s0 Target Objects wrapped-passphrase [ file ] Source login Source Path /bin/login Port <Unknown> Host (removed) Source RPM Packages util-linux-2.20.1-1.fc16 Target RPM Packages Policy RPM selinux-policy-3.10.0-46.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux panda 3.1.0-0.rc10.git0.1.fc16.x86_64 #1 SMP Wed Oct 19 05:02:17 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 24 Oct 2011 04:50:47 PM EDT Last Seen Mon 24 Oct 2011 04:50:47 PM EDT Local ID 8e425981-86a4-473a-8695-001350285536 Raw Audit Messages type=AVC msg=audit(1319489447.604:206): avc: denied { read } for pid=4574 comm="login" name="wrapped-passphrase" dev=dm-6 ino=130070 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1319489447.604:206): arch=x86_64 syscall=open success=no exit=EACCES a0=1771f80 a1=0 a2=0 a3=0 items=0 ppid=3470 pid=4574 auid=1000 uid=1000 gid=0 euid=1000 suid=1000 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=tty4 ses=9 comm=login exe=/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) Hash: login,local_login_t,user_home_t,file,read audit2allow #============= local_login_t ============== allow local_login_t user_home_t:file read; audit2allow -R #============= local_login_t ============== allow local_login_t user_home_t:file read; (In reply to comment #50) > Fedora 16 beta, after successfully doing > > authconfig --enableecryptfs --updateall > usermod -G ecryptfs <user> > ecryptfs-migrate-home -u <user> > > the login still fails to mount Private, due to SELinux preventing /bin/login to > access files in /home/.ecryptfs/<user>/.ecryptfs. known issue, see bug #712048 (In reply to comment #49) > Fresh new F15 and up-to-date installation (to day is my Fedora Day! yeah), > > # tail -n10 /var/log/messages > ... > Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to open > [/home/fdaluisio/.ecryptfs/wrapped-passphrase] for reading > Oct 24 15:31:07 dotto pam: gdm-password[5302]: Error attempting to unwrap > passphrase from file [/home/fdaluisio/.ecryptfs/wrapped-passphrase]; rc = [-5] > Oct 24 15:31:07 dotto pam: gdm-password[5302]: ecryptfs: fill_keyring: Error > adding passphrase key token to user session keyring; rc = [-5] interesting, I'll look at it, what is output of ll /home/fdaluisio/.ecryptfs/ on your system? (In reply to comment #51) > (In reply to comment #50) > > Fedora 16 beta, after successfully doing > > > > authconfig --enableecryptfs --updateall > > usermod -G ecryptfs <user> > > ecryptfs-migrate-home -u <user> > > > > the login still fails to mount Private, due to SELinux preventing /bin/login to > > access files in /home/.ecryptfs/<user>/.ecryptfs. > > known issue, see bug #712048 Ling, are you interested in testing of a local policy for ecryptfs? (In reply to comment #52) > interesting, I'll look at it, what is output of > > ll /home/fdaluisio/.ecryptfs/ > > on your system? Sure, selinux seems ok fdaluisio@dotto:~/.ecryptfs$ ll -Z * -rw-rw-r--. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 auto-mount -rw-rw-r--. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 auto-umount -rw-------. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 Private.mnt -rw-------. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 Private.sig -r--------. fdaluisio fdaluisio unconfined_u:object_r:user_home_t:s0 wrapped-passphrase (In reply to comment #54) > (In reply to comment #52) > > interesting, I'll look at it, what is output of > > > > ll /home/fdaluisio/.ecryptfs/ > > > > on your system? fdaluisio@dotto:~/.ecryptfs$ ll totale 20 drwx------. 2 fdaluisio fdaluisio 4096 24 ott 15.03 ./ drwxr-xr-x. 83 fdaluisio fdaluisio 4096 25 ott 10.14 ../ -rw-rw-r--. 1 fdaluisio fdaluisio 0 24 ott 15.03 auto-mount -rw-rw-r--. 1 fdaluisio fdaluisio 0 24 ott 15.03 auto-umount -rw-------. 1 fdaluisio fdaluisio 24 24 ott 15.03 Private.mnt -rw-------. 1 fdaluisio fdaluisio 34 24 ott 15.03 Private.sig -r--------. 1 fdaluisio fdaluisio 48 24 ott 15.03 wrapped-passphrase (In reply to comment #53) > (In reply to comment #51) > > (In reply to comment #50) > > > Fedora 16 beta, after successfully doing > > > > > > authconfig --enableecryptfs --updateall > > > usermod -G ecryptfs <user> > > > ecryptfs-migrate-home -u <user> > > > > > > the login still fails to mount Private, due to SELinux preventing /bin/login to > > > access files in /home/.ecryptfs/<user>/.ecryptfs. > > > > known issue, see bug #712048 > > Ling, > are you interested in testing of a local policy for ecryptfs? Of course. Please just let me know what I should do. In a fresh F16, bug persists. No configuration changes (just installed F16 in top of F15) ~/Private does not auto-mount. (In reply to comment #19) > b) boot, ctrl-alt-f2, log in as root and execute: > setenforce 0 > > then selinux will run in permissive mode until next reboot. The above again solves the problem, so it seems related to SELinux. Additional info: $ rpm -q selinux-policy ecryptfs-utils selinux-policy-3.10.0-55.fc16.noarch ecryptfs-utils-90-2.fc16.x86_64 In a fresh F16, bug persists. No configuration changes (just installed F16 in top of F15) ~/Private does not auto-mount. (In reply to comment #19) > b) boot, ctrl-alt-f2, log in as root and execute: > setenforce 0 > > then selinux will run in permissive mode until next reboot. The above again solves the problem, so it seems related to SELinux. Additional info: $ rpm -q selinux-policy ecryptfs-utils selinux-policy-3.10.0-55.fc16.noarch ecryptfs-utils-90-2.fc16.x86_64 Bad bugzilla, bad! Because I had to cancel my changes, only short version follows: This was a tracking bug for small change in ecryptfs-utils. Requested change should be in place, so I'm going to finally close this feature request. Ling Li: see mgrepl's answer here: https://bugzilla.redhat.com/show_bug.cgi?id=712048#c17 Yajo: I hope it works now. If it still does not work, file a new bug against selinux-policy Others: I hope I did not forgot someone. This was tracking bug for feature change, but it accumulated a few reports about ~/Private not mounting, because of similar bug summary text. I have changed summary of this bug, so it does not collect future ~/Private problems reports. If you have problem with ~/Private, please file a new bug report. Thank you. (In reply to comment #59) > Yajo: > I hope it works now. If it still does not work, file a new bug against > selinux-policy Thanks. FYI it's already done in bug #757691. |