Bug 1199287 - SELinux prevents automatic unmounting of ecryptfs home dir
Summary: SELinux prevents automatic unmounting of ecryptfs home dir
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
: 1270134 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2015-03-05 20:37 UTC by Theodore Lee
Modified: 2016-06-23 09:03 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-12-08 13:46:22 UTC
Type: Bug

Attachments (Terms of Use)
Audit log (484.78 KB, text/plain)
2015-10-10 07:40 UTC, Paul DeStefano
no flags Details

Description Theodore Lee 2015-03-05 20:37:29 UTC
Description of problem:
I have an ecryptfs home directory that's configured to be mounted and unmounted automatically. This works correctly with SELinux set to permissive, but with it set to enforcing, the directory remains mounted after logout.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Set up an ecryptfs home directory as follows:
# authconfig --enableecryptfs --updateall
# usermod -aG ecryptfs USER
# ecryptfs-migrate-home -u USER
# su - USER
$ ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase
$ exit

2. With SELinux enforcing, log in as USER via console/GUI, then log out again.

3. Check status of the home directory with root.

Actual results:

df reports the home directory is still mounted.
# df -h
Filesystem                   Size  Used Avail Use% Mounted on
/home/antiaircraft/.Private  468G  223G  222G  51% /home/antiaircraft

ls agrees.
# ls /home/antiaircraft
Archives  Configs  Documents  Dropbox     Library   Programming  rpmbuild   Web
bin       Desktop  Downloads  fedora-scm  Pictures  Recordings   Templates

Expected results:
The encrypted home directory should automatically be unmounted after logging out. This works correctly with SELinux set to permissive. I'm not seeing any AVCs in either case, however.

Comment 1 Lukas Vrabec 2015-03-10 16:52:54 UTC

Could you attach AVCs? (/var/log/audit/audit.log.)

Comment 2 Theodore Lee 2015-03-11 02:41:31 UTC
Well, the bad news is that I'm unable to provide audit logs, and the good news is that I'm strangely no longer able to reproduce this bug after my latest batch of updates. Ecryptfs home dirs unmount fine regardless of SELinux being set to permissive or enforcing.

I've also uninstalled some packages, so it might perhaps be related to one of those. I'd be willing to revert the changes and try and reproduce it again if this is worth chasing.

Comment 3 Lukas Vrabec 2015-03-11 15:23:00 UTC
If you cannot reproduce it, we could close it and re-open when you will se it again.

Comment 4 Paul DeStefano 2015-10-09 04:11:57 UTC
Yeah, but we can't reopen it, can we?

Comment 5 Lukas Vrabec 2015-10-09 09:28:43 UTC
Could you reproduce it?

Comment 6 Theodore Lee 2015-10-09 09:42:23 UTC
I have not been able to reproduce this with current packages.

Comment 7 Lukas Vrabec 2015-10-09 10:16:47 UTC
So attach /var/log/audit/audit.log file.

 Thank you.

Comment 8 Paul DeStefano 2015-10-10 07:40:53 UTC
Created attachment 1081533 [details]
Audit log

This is the "audit" log.  Since we moved to the journal awhile ago, I assume you mean journctl --system|grep audit.  let me know if that's wrong.

Also, the bug is really "SELinux policy keeps breaking ecryptfs between releases".  So, I don't think you should close just because the policy has been "fixed", yet again, with a package update.

Comment 9 Miroslav Grepl 2015-10-12 12:44:05 UTC
*** Bug 1270134 has been marked as a duplicate of this bug. ***

Comment 10 Fedora End Of Life 2015-11-04 15:20:39 UTC
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 11 Paul DeStefano 2015-11-07 10:10:24 UTC
Exactly as I said.  Upgrade to F23 causes recurrence.  Someone, please update affected version for this bug.

My old local policies were removed...I don't that is right.  It's certainly a change in behavior for upgrades, at least.  I'm trying to restore the old policies, first, then we'll go from there.

Comment 12 Paul DeStefano 2015-11-07 10:17:40 UTC
Confirmed, the three SELinux local modules I built with audit2allow under F22 were reinstalled and that resulted in restoring ECryptFS automounted home directory support.

Comment 13 Miroslav Grepl 2015-11-20 09:40:16 UTC
so we have more bugs here, right? 

You local policy modules have been removed by upgrade and non-working ECryptFS?

Comment 14 Paul DeStefano 2015-11-21 17:22:11 UTC
Hi Miroslav,

Yes, I think so.  My memory is a little faded, but I went back, checked the journal, and I'm sure that's what happened.  I was using three local policy files I built with audit2allow in F22.  (AFAIK, they were identical to the ones I built in F18 or whatever.)  Immediately after upgrade to F23, eCryptFS was broken and I just ran semodule to reinstall the policy files I had from before.  I thought I had uploaded the policy files, but I guess I only uploaded the audit log.

Comment 15 Lukas Vrabec 2015-12-03 11:22:50 UTC
I tried to reproduce it on actual fedora rawhide and everything looks fine. I used reproducer from your first comment.

Comment 16 Lukas Vrabec 2015-12-08 13:46:22 UTC
I'm closing this for now, please re-open if you find some AVC. 

Thank you.

Comment 17 Paul DeStefano 2016-06-23 08:57:26 UTC
Happened again with F24.  Old local policies are required, not new ones.  I'll try again with Bug 1333969 as I cannot reopen bugs.

Comment 18 Paul DeStefano 2016-06-23 09:03:40 UTC
Oops, I mean bug 1348380.

Note You need to log in before you can comment on or make changes to this bug.