Description of problem: Fresh install of Workstation, installed ecryptfs-utils and then created a new user -- then added that user to the ecryptfs group. From there I used ecryptfs-migrate-home to migrate my user to ecryptfs. When selinux is turned on my home directory is not mounted automaticaly when I login -- if I login through a terminal and then mount it using ecryptfs-mount-private I am able to accessmy files, then switch back to the display manager and login. If I then log out of all sessions the ecryptfs share is not unmounted and I see a selinux denial. SELinux is preventing umount.ecryptfs from read, write access on the file /run/console/brandoni. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that umount.ecryptfs should be allowed read write access on the brandoni file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep umount.ecryptfs /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mount_ecryptfs_t:s0-s0:c0.c1023 Target Context system_u:object_r:pam_var_console_t:s0 Target Objects /run/console/brandoni [ file ] Source umount.ecryptfs Source Path umount.ecryptfs Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-12-18 16:34:31 EST Last Seen 2014-12-18 16:38:19 EST Local ID 6c4c3091-cb6b-4788-9ead-05a85adc513a Raw Audit Messages type=AVC msg=audit(1418938699.777:594): avc: denied { read write } for pid=11294 comm="umount.ecryptfs" path="/run/console/brandoni" dev="tmpfs" ino=47805 scontext=system_u:system_r:mount_ecryptfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_console_t:s0 tclass=file permissive=1 Hash: umount.ecryptfs,mount_ecryptfs_t,pam_var_console_t,file,read,write Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
b5a57221dc52153b2ca5b55a5ac2afe6698782e7 fixes this in git.
commit 7dd1d81c80adcc216f4863ce5c07e1fe07fb7c47 Author: Dan Walsh <dwalsh> Date: Tue Dec 23 14:48:40 2014 -0500 Allow mount_ecryptfs_t to read/write pam_console data Thank you Dan.
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.