Bug 386231 - selinux prevents cryptsetup from accessing usb key
selinux prevents cryptsetup from accessing usb key
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-11-15 22:30 EST by Chris Snook
Modified: 2008-01-30 14:05 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:05:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Snook 2007-11-15 22:30:01 EST
Description of problem:
When rc.sysinit calls init_crypto to enable mappings listed in /etc/crypttab,
cryptsetup is not permitted to access a key file on a vfat filesystem mounted
under /mnt.  When invoked manually from single-user mode or a root shell, the
operation succeeds.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a key file on a vfat filesystem (probably not just vfat)

2. create a mountpoint under /mnt and a root read-only fstab entry for the vfat

/dev/sdb1 /mnt/key vfat ro,umask=077 0 0

3. mount /mnt/key manually or by rebooting

4. from root shell or single-user mode, cryptsetup luksFormat a hard drive
partition using the key on the usb drive (selinux will not complain about this)

5. create an /etc/crypttab entry for the luks partition:

crypt /dev/sda4 /mnt/key/sda4.key

6. create a usbkey.modules script in /etc/sysconfig/modules/ which will be
invoked by rc.sysinit prior to calling init_crypto:

/sbin/modprobe usb-storage
/sbin/modprobe vfat
/bin/sleep 5
/bin/mount /mnt/key

7. reboot

Actual results:
cryptsetup fails during boot, and anything within the encrypted partition is
inaccessible.  dmesg shows this:

SELinux: initialized (dev sdb1, type vfat), uses genfs_contexts
audit(1195180052.553:4) avc:  denied  { search } for  pid=1423 comm="cryptsetup"
name="mnt" dev=dm-0 ino=129665 scontext=system_u:system_r:lvm_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir

The audit message is repeated again a few lines lower, as a result of the second
call to init_crypto in rc.sysinit.  (For reference, dm-0 is the lv containing
the root filesystem.)

Expected results:
cryptsetup succeeds, just like it does when invoked interactively

Additional info:
Putting selinux in permissive mode allows cryptsetup to complete successfully.
Comment 1 Daniel Walsh 2007-11-16 09:30:36 EST
I will add a fix for this in selinux-policy-3.0.8-57.fc8

For now you can add this permission by executing 

# grep lvm_t /var/log/audit/audit.log | audit2allow -M mylvm
# semodule -i mylvm.pp

Comment 2 Daniel Walsh 2008-01-30 14:05:41 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.