Description of problem: When rc.sysinit calls init_crypto to enable mappings listed in /etc/crypttab, cryptsetup is not permitted to access a key file on a vfat filesystem mounted under /mnt. When invoked manually from single-user mode or a root shell, the operation succeeds. Version-Release number of selected component (if applicable): F8 GA How reproducible: 100% Steps to Reproduce: 1. create a key file on a vfat filesystem (probably not just vfat) 2. create a mountpoint under /mnt and a root read-only fstab entry for the vfat filesystem: /dev/sdb1 /mnt/key vfat ro,umask=077 0 0 3. mount /mnt/key manually or by rebooting 4. from root shell or single-user mode, cryptsetup luksFormat a hard drive partition using the key on the usb drive (selinux will not complain about this) 5. create an /etc/crypttab entry for the luks partition: crypt /dev/sda4 /mnt/key/sda4.key 6. create a usbkey.modules script in /etc/sysconfig/modules/ which will be invoked by rc.sysinit prior to calling init_crypto: #!/bin/sh /sbin/modprobe usb-storage /sbin/modprobe vfat /bin/sleep 5 /bin/mount /mnt/key 7. reboot Actual results: cryptsetup fails during boot, and anything within the encrypted partition is inaccessible. dmesg shows this: SELinux: initialized (dev sdb1, type vfat), uses genfs_contexts audit(1195180052.553:4) avc: denied { search } for pid=1423 comm="cryptsetup" name="mnt" dev=dm-0 ino=129665 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir The audit message is repeated again a few lines lower, as a result of the second call to init_crypto in rc.sysinit. (For reference, dm-0 is the lv containing the root filesystem.) Expected results: cryptsetup succeeds, just like it does when invoked interactively Additional info: Putting selinux in permissive mode allows cryptsetup to complete successfully.
I will add a fix for this in selinux-policy-3.0.8-57.fc8 For now you can add this permission by executing # grep lvm_t /var/log/audit/audit.log | audit2allow -M mylvm # semodule -i mylvm.pp
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.