Description of problem: Fresh install of Workstation, installed ecryptfs-utils and then created a new user -- then added that user to the ecryptfs group. From there I used ecryptfs-migrate-home to migrate my user to ecryptfs. When selinux is turned on my home directory is not mounted automaticaly when I login -- if I login through a terminal and then mount it using ecryptfs-mount-private I am able to accessmy files, then switch back to the display manager and login. If I then log out of all sessions the ecryptfs share is not unmounted and I see a selinux denial. SELinux is preventing login from 'entrypoint' accesses on the file /usr/sbin/mount.ecryptfs_private. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that login should be allowed entrypoint access on the mount.ecryptfs_private file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep login /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:mount_ecryptfs_exec_t:s0 Target Objects /usr/sbin/mount.ecryptfs_private [ file ] Source login Source Path login Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages ecryptfs-utils-103-6.fc21.x86_64 Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 3 First Seen 2014-12-18 16:34:21 EST Last Seen 2014-12-18 16:40:23 EST Local ID 2fd44357-a433-4f6b-9d3d-77bc84b861b4 Raw Audit Messages type=AVC msg=audit(1418938823.928:638): avc: denied { entrypoint } for pid=12386 comm="login" path="/usr/sbin/mount.ecryptfs_private" dev="sdb2" ino=142780 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_ecryptfs_exec_t:s0 tclass=file permissive=1 Hash: login,unconfined_t,mount_ecryptfs_exec_t,file,entrypoint Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
a8041e60fdc0a38ae58991fc707ae9af8cdb7524 fixes this in git.
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.