Description of problem:
I have an ecryptfs home directory that's configured to be mounted and unmounted automatically. This works correctly with SELinux set to permissive, but with it set to enforcing, the directory remains mounted after logout.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up an ecryptfs home directory as follows:
# authconfig --enableecryptfs --updateall
# usermod -aG ecryptfs USER
# ecryptfs-migrate-home -u USER
# su - USER
$ ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase
2. With SELinux enforcing, log in as USER via console/GUI, then log out again.
3. Check status of the home directory with root.
df reports the home directory is still mounted.
# df -h
Filesystem Size Used Avail Use% Mounted on
/home/antiaircraft/.Private 468G 223G 222G 51% /home/antiaircraft
# ls /home/antiaircraft
Archives Configs Documents Dropbox Library Programming rpmbuild Web
bin Desktop Downloads fedora-scm Pictures Recordings Templates
The encrypted home directory should automatically be unmounted after logging out. This works correctly with SELinux set to permissive. I'm not seeing any AVCs in either case, however.
Could you attach AVCs? (/var/log/audit/audit.log.)
Well, the bad news is that I'm unable to provide audit logs, and the good news is that I'm strangely no longer able to reproduce this bug after my latest batch of updates. Ecryptfs home dirs unmount fine regardless of SELinux being set to permissive or enforcing.
I've also uninstalled some packages, so it might perhaps be related to one of those. I'd be willing to revert the changes and try and reproduce it again if this is worth chasing.
If you cannot reproduce it, we could close it and re-open when you will se it again.
Yeah, but we can't reopen it, can we?
Could you reproduce it?
I have not been able to reproduce this with current packages.
So attach /var/log/audit/audit.log file.
Created attachment 1081533 [details]
This is the "audit" log. Since we moved to the journal awhile ago, I assume you mean journctl --system|grep audit. let me know if that's wrong.
Also, the bug is really "SELinux policy keeps breaking ecryptfs between releases". So, I don't think you should close just because the policy has been "fixed", yet again, with a package update.
*** Bug 1270134 has been marked as a duplicate of this bug. ***
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora 'version'
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 21 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Exactly as I said. Upgrade to F23 causes recurrence. Someone, please update affected version for this bug.
My old local policies were removed...I don't that is right. It's certainly a change in behavior for upgrades, at least. I'm trying to restore the old policies, first, then we'll go from there.
Confirmed, the three SELinux local modules I built with audit2allow under F22 were reinstalled and that resulted in restoring ECryptFS automounted home directory support.
so we have more bugs here, right?
You local policy modules have been removed by upgrade and non-working ECryptFS?
Yes, I think so. My memory is a little faded, but I went back, checked the journal, and I'm sure that's what happened. I was using three local policy files I built with audit2allow in F22. (AFAIK, they were identical to the ones I built in F18 or whatever.) Immediately after upgrade to F23, eCryptFS was broken and I just ran semodule to reinstall the policy files I had from before. I thought I had uploaded the policy files, but I guess I only uploaded the audit log.
I tried to reproduce it on actual fedora rawhide and everything looks fine. I used reproducer from your first comment.
I'm closing this for now, please re-open if you find some AVC.
Happened again with F24. Old local policies are required, not new ones. I'll try again with Bug 1333969 as I cannot reopen bugs.
Oops, I mean bug 1348380.