Description of problem: After upgrading my F20 to F21, my encrypted home directory no longer gets mounted at login when SELinux is in enforcing mode. In audit.log I can see: type=AVC msg=audit(1417342960.936:369): avc: denied { entrypoint } for pid=1226 comm="lxdm-binary" path="/usr/sbin/mount.ecryptfs_private" dev="sda4" ino=872737 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0 This worked perfectly fine in F20, so this is a regression. Version-Release number of selected component (if applicable): lxdm-0.4.1-9.fc21.x86_64 selinux-policy-3.13.1-92.fc21.noarch selinux-policy-targeted-3.13.1-92.fc21.noarch How reproducible: 100% Steps to Reproduce: 1. Set SELINUX=enforcing in /etc/sysconfig/selinux 2. Reboot 3. Log in to GUI Actual results: An empty (default) user environment. This is due to the home directory that's available is an empty skeleton, that only contains a few standard eCryptfs files (Access-Your-Private-Data.desktop, .ecryptfs, .Private, README.txt). Expected results: That the skeleton home directory gets overmounted by the unencrypted files, so that my system works normally. Additional info: After setting SELINUX=permissive in /etc/sysconfig/selinux and rebooting, my system is usable again (my encrypted home directory is correctly mounted at login).
Hi, Please run: #restorecon -v /usr/sbin/lxdm-binary To fix your issue.
(In reply to Lukas Vrabec from comment #1) > #restorecon -v /usr/sbin/lxdm-binary That didn't help. I ran the above command as root, set SELINUX=enforcing and rebooted. No luck. I also tried to "touch /.autorelabel" and rebooted another time. That didn't help either. Tore
okay, I'll try reproduce it. Thank you for response.
Could you attach: $ ls -Z /usr/sbin/lxdm-binary Thank you!
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0 /usr/sbin/lxdm-binary
Created attachment 965399 [details] Detail output from setroubleshoot applet When I log in in permissive mode, I sometimes (not always) get four SELinux alerts, relating to LXDM + eCryptfs. I suppose those are relevant to this bug, so I am attaching the detail output. The error titles are: 1 SELinux is preventing /usr/sbin/mount.ecryptfs_private from entrypoint access on the file /usr/sbin/mount.ecryptfs_private. 2 SELinux is preventing /usr/sbin/lxdm-binary from write access on the file /home/.ecryptfs/tore/.Private/ECRYPTFS_FNEK_ENCRYPTED.FXZho6fsm0GiX-S-inXKR0vtfz5o74eWy2nKNTs3sCmHZTCGpCSH.4xtbpuSey-LQIaArQ8aTer66bk-. 3 SELinux is preventing /usr/sbin/lxdm-binary from write access on the file /home/.ecryptfs/tore/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZho6fsm0GiX-S-inXKR0vtfz5o74eWy2nKspvsX6rhDfQutOr94hucPU--. 4 SELinux is preventing /usr/sbin/lxdm-binary from create access on the file ECRYPTFS_FNEK_ENCRYPTED.FWZho6fsm0GiX-S-inXKR0vtfz5o74eWy2nKspvsX6rhDfQutOr94hucPU--. The actual files the encrypted names refer to, are: $ ecryptfs-find ECRYPTFS_FNEK_ENCRYPTED.FXZho6fsm0GiX-S-inXKR0vtfz5o74eWy2nKNTs3sCmHZTCGpCSH.4xtbpuSey-LQIaArQ8aTer66bk- /home/tore/.xsession-errors $ ecryptfs-find ECRYPTFS_FNEK_ENCRYPTED.FWZho6fsm0GiX-S-inXKR0vtfz5o74eWy2nKspvsX6rhDfQutOr94hucPU-- /home/tore/.Xauthority
*** This bug has been marked as a duplicate of bug 1165578 ***