Description of problem: Version-Release number of selected component (if applicable): selinux-policy-2.6.4-59.fc7 cryptsetup-luks-1.0.5-4.fc7.1 pam_mount-0.18-1.fc7 How reproducible: Steps to Reproduce: 1. setup an encrypted home via pam_mount 2. reboot 3. login via gdm Actual results: Graphical login not possible, strangely though text mode login does work and after that I can login via gdm as usual!? Expected results: I should be able to login right away just like before the selinux-policy upgrade. Additional info: Summary SELinux prevented mount.crypt from mounting on the file or directory "cryptsetup" (type "lvm_exec_t"). Detailed Description SELinux prevented mount.crypt from mounting a filesystem on the file or directory "cryptsetup" of type "lvm_exec_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "lvm_exec_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." The following command will allow this access: setsebool -P allow_mount_anyfile=1Additional InformationSource Context: system_u:system_r:mount_t:SystemLow-SystemHighTarget Context: system_u:object_r:lvm_exec_tTarget Objects: cryptsetup [ file ]Affected RPM Packages: Policy RPM: selinux-policy-2.6.4-59.fc7Selinux Enabled: TruePolicy Type: targeted
The fix form Bug 386231 does not seem to work: # grep lvm_exec_t /var/log/audit/audit.log | audit2allow -M mylvm # semodule -i mylvm.pp
What avc messages are you seeing?
Hope this helps: type=USER_END msg=audit(1197395091.348:20): user pid=2665 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session close acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_ERR msg=audit(1197395108.390:21): user pid=3290 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)' type=USER_AUTH msg=audit(1197395174.711:22): user pid=3368 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1197395174.715:23): user pid=3368 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1197395174.716:24): user pid=3368 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1197395174.720:25): login pid=3368 uid=0 old auid=4294967295 new auid=500 type=AVC msg=audit(1197395174.876:26): avc: denied { getattr } for pid=3404 comm="mount.crypt" path="pipe:[13681]" dev=pipefs ino=13681 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395174.876:26): arch=c000003e syscall=5 success=no exit=-13 a0=1 a1=7fff4e34a340 a2=7fff4e34a340 a3=3e2c34c9d0 items=0 ppid=3403 pid=3404 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.884:27): avc: denied { getattr } for pid=3406 comm="mount.crypt" path="pipe:[13683]" dev=pipefs ino=13683 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395174.884:27): arch=c000003e syscall=5 success=no exit=-13 a0=1 a1=7fff4e349810 a2=7fff4e349810 a3=8 items=0 ppid=3405 pid=3406 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.887:28): avc: denied { getattr } for pid=3407 comm="sed" path="pipe:[13683]" dev=pipefs ino=13683 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395174.887:28): arch=c000003e syscall=5 success=no exit=-13 a0=0 a1=7fff6b1c8740 a2=7fff6b1c8740 a3=3e2c34c9d0 items=0 ppid=3405 pid=3407 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sed" exe="/bin/sed" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.887:29): avc: denied { getattr } for pid=3407 comm="sed" path="pipe:[13682]" dev=pipefs ino=13682 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395174.887:29): arch=c000003e syscall=5 success=no exit=-13 a0=1 a1=7fff6b1c8710 a2=7fff6b1c8710 a3=6178a0 items=0 ppid=3405 pid=3407 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sed" exe="/bin/sed" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.893:30): avc: denied { execute_no_trans } for pid=3408 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395174.893:30): arch=c000003e syscall=59 success=no exit=-13 a0=8cf280 a1=8ce8a0 a2=8cf460 a3=65 items=0 ppid=3403 pid=3408 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.895:31): avc: denied { read } for pid=3408 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395174.895:31): arch=c000003e syscall=21 success=no exit=-13 a0=8cf280 a1=4 a2=0 a3=65 items=0 ppid=3403 pid=3408 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.896:32): avc: denied { read } for pid=3408 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395174.896:32): arch=c000003e syscall=2 success=no exit=-13 a0=8cf280 a1=0 a2=43 a3=65 items=0 ppid=3403 pid=3408 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.899:33): avc: denied { execute_no_trans } for pid=3409 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395174.899:33): arch=c000003e syscall=59 success=no exit=-13 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=3403 pid=3409 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.901:34): avc: denied { read } for pid=3409 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395174.901:34): arch=c000003e syscall=21 success=no exit=-13 a0=8cbd80 a1=4 a2=0 a3=3e2c34c9d0 items=0 ppid=3403 pid=3409 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395174.902:35): avc: denied { read } for pid=3409 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395174.902:35): arch=c000003e syscall=2 success=no exit=-13 a0=8cbd80 a1=0 a2=43 a3=3e2c34c9d0 items=0 ppid=3403 pid=3409 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1197395174.943:36): user pid=3368 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=failed)' type=CRED_DISP msg=audit(1197395177.145:37): user pid=3368 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_AUTH msg=audit(1197395190.951:38): user pid=3284 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_ACCT msg=audit(1197395190.951:39): user pid=3284 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=LOGIN msg=audit(1197395190.958:40): login pid=3284 uid=0 old auid=4294967295 new auid=0 type=USER_ROLE_CHANGE msg=audit(1197395191.201:41): user pid=3284 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=root:system_r:unconfined_t:s0-s0:c0.c1023 selected-context=root:system_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_START msg=audit(1197395191.715:42): user pid=3284 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=CRED_ACQ msg=audit(1197395191.715:43): user pid=3284 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_LOGIN msg=audit(1197395191.783:44): user pid=3284 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=AVC msg=audit(1197395303.101:45): avc: denied { write } for pid=5183 comm="depmod" path="/var/log/vbox-install.log" dev=dm-5 ino=3277003 scontext=root:system_r:depmod_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1197395303.101:45): avc: denied { write } for pid=5183 comm="depmod" path="/var/log/vbox-install.log" dev=dm-5 ino=3277003 scontext=root:system_r:depmod_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1197395303.101:45): arch=c000003e syscall=59 success=yes exit=0 a0=8ca300 a1=8c8220 a2=8ca620 a3=8 items=0 ppid=5180 pid=5183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="depmod" exe="/sbin/depmod" subj=root:system_r:depmod_t:s0 key=(null) type=CRED_DISP msg=audit(1197395309.375:46): user pid=3284 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_END msg=audit(1197395309.532:47): user pid=3284 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_AUTH msg=audit(1197395317.210:48): user pid=3368 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1197395317.215:49): user pid=3368 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1197395317.217:50): user pid=3368 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1197395317.226:51): login pid=3368 uid=0 old auid=500 new auid=500 type=AVC msg=audit(1197395317.253:52): avc: denied { getattr } for pid=5231 comm="mount.crypt" path="pipe:[16932]" dev=pipefs ino=16932 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395317.253:52): arch=c000003e syscall=5 success=no exit=-13 a0=1 a1=7fff6cb05b00 a2=7fff6cb05b00 a3=3e2c34c9d0 items=0 ppid=5230 pid=5231 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.261:53): avc: denied { getattr } for pid=5233 comm="mount.crypt" path="pipe:[16934]" dev=pipefs ino=16934 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395317.261:53): arch=c000003e syscall=5 success=no exit=-13 a0=1 a1=7fff6cb04fd0 a2=7fff6cb04fd0 a3=8 items=0 ppid=5232 pid=5233 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.266:54): avc: denied { getattr } for pid=5234 comm="sed" path="pipe:[16934]" dev=pipefs ino=16934 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395317.266:54): arch=c000003e syscall=5 success=no exit=-13 a0=0 a1=7ffffb5eeb70 a2=7ffffb5eeb70 a3=3e2c34c9d0 items=0 ppid=5232 pid=5234 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sed" exe="/bin/sed" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.268:55): avc: denied { getattr } for pid=5234 comm="sed" path="pipe:[16933]" dev=pipefs ino=16933 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1197395317.268:55): arch=c000003e syscall=5 success=no exit=-13 a0=1 a1=7ffffb5eeb40 a2=7ffffb5eeb40 a3=6178a0 items=0 ppid=5232 pid=5234 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="sed" exe="/bin/sed" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.271:56): avc: denied { execute_no_trans } for pid=5235 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395317.271:56): arch=c000003e syscall=59 success=no exit=-13 a0=8cf280 a1=8ce8a0 a2=8cf460 a3=65 items=0 ppid=5230 pid=5235 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.272:57): avc: denied { read } for pid=5235 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395317.272:57): arch=c000003e syscall=21 success=no exit=-13 a0=8cf280 a1=4 a2=0 a3=65 items=0 ppid=5230 pid=5235 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.274:58): avc: denied { read } for pid=5235 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395317.274:58): arch=c000003e syscall=2 success=no exit=-13 a0=8cf280 a1=0 a2=43 a3=65 items=0 ppid=5230 pid=5235 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.277:59): avc: denied { execute_no_trans } for pid=5236 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395317.277:59): arch=c000003e syscall=59 success=no exit=-13 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=5230 pid=5236 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.277:60): avc: denied { read } for pid=5236 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395317.277:60): arch=c000003e syscall=21 success=no exit=-13 a0=8cbd80 a1=4 a2=0 a3=3e2c34c9d0 items=0 ppid=5230 pid=5236 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1197395317.277:61): avc: denied { read } for pid=5236 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1197395317.277:61): arch=c000003e syscall=2 success=no exit=-13 a0=8cbd80 a1=0 a2=43 a3=3e2c34c9d0 items=0 ppid=5230 pid=5236 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1197395317.293:62): user pid=3368 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=failed)' type=CRED_DISP msg=audit(1197395317.996:63): user pid=3368 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
Any thoughs on this one, I can work around it for now but it's rather frustrating...
Fixed in selinux-policy-2.6.4-64.fc7
I'm sorry but where do I find this? Can't find it in fedora updates testing..
66 should be showing up in Fedora Testing. You can grab it from http://people.fedoraproject.org/~dwalsh/SELinux/F7
Actually you have 61 on your website, anyway with a little help from google I found and installed the 66 release for F7. The problem still occurs though :( $ rpm -qa|grep selinux-policy selinux-policy-strict-2.6.4-66.fc7 selinux-policy-2.6.4-66.fc7 selinux-policy-targeted-2.6.4-66.fc7 selinux-policy-mls-2.6.4-66.fc7 latest entries from "grep crypt /var/log/audit/audit.log": type=AVC msg=audit(1198765671.631:41): avc: denied { execute_no_trans } for pid=3557 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1198765671.631:41): arch=c000003e syscall=59 success=no exit=-13 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=3551 pid=3557 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1198765671.633:42): avc: denied { read } for pid=3557 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1198765671.633:42): arch=c000003e syscall=21 success=no exit=-13 a0=8cbd80 a1=4 a2=0 a3=3e2c34c9d0 items=0 ppid=3551 pid=3557 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1198765671.634:43): avc: denied { read } for pid=3557 comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1198765671.634:43): arch=c000003e syscall=2 success=no exit=-13 a0=8cbd80 a1=0 a2=43 a3=3e2c34c9d0 items=0 ppid=3551 pid=3557 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
Ok lets try Fixed in selinux-policy-2.6.4-67.fc7
Nope still doesn't work :( Any idea why a gdm login doesn't work, but normal tty login does (after which gdm login also works)? $ rpm -qa|grep selinux-policy selinux-policy-mls-2.6.4-67.fc7 selinux-policy-strict-2.6.4-67.fc7 selinux-policy-2.6.4-67.fc7 selinux-policy-targeted-2.6.4-67.fc7 type=USER_START msg=audit(1199279351.530:12): user pid=2257 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session open acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_ACQ msg=audit(1199279351.530:13): user pid=2257 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_DISP msg=audit(1199279352.227:14): user pid=2257 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_END msg=audit(1199279352.228:15): user pid=2257 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session close acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1199279358.745:16): user pid=2673 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Stylus_COLOR_880 uri=usb://EPSON/Stylus%20COLOR%20880 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=neo.lokaal.net, addr=192.168.1.44, terminal=? res=success)' type=USER_START msg=audit(1199279359.705:17): user pid=2743 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session open acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_ACQ msg=audit(1199279359.705:18): user pid=2743 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_DISP msg=audit(1199279361.438:19): user pid=2743 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_END msg=audit(1199279361.438:20): user pid=2743 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session close acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_ERR msg=audit(1199279377.676:21): user pid=3432 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)' type=USER_AUTH msg=audit(1199279390.896:22): user pid=3509 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1199279390.900:23): user pid=3509 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1199279390.901:24): user pid=3509 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1199279390.905:25): login pid=3509 uid=0 old auid=4294967295 new auid=500 type=USER_START msg=audit(1199279391.678:26): user pid=3509 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=jeroen : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=failed)'
The audit messages you patched do not report any problems. Take a look at /var/log/secure. I don't think this is an SELinux problem any longer.
This one is making me confused, pam_mount for login should be exactly the same as for gdm. Anyway to make it interesting for you again, besides first loging in via tty, setenforce 0 also works.... This is what pam_mount reports in /var/log/secure with debug=1, dutch for unknown filesystem that is. Jan 3 21:11:30 neo gdm[3450]: pam_mount(mount.c:100) mount: u moet de bestandssysteem soort aangeven Jan 3 21:11:30 neo gdm[3450]: pam_mount(mount.c:100) mount.crypt: error mounting _dev_Goliath_jeroen Jan 3 21:11:31 neo gdm[3450]: pam_mount(mount.c:854) waiting for mount Jan 3 21:11:31 neo gdm[3450]: pam_mount(pam_mount.c:478) mount of /dev/Goliath/jeroen failed
any thoughts on this one, I know there should be AVC denials, but turning off enforcing mode really does make the problem go away...
You can enableaudit messages by executing semodule -b /usr/share/selinux/enableaudit.pp Then run the test and see if this gets any messages. semodule -b /usr/share/selinux/base.pp will turn it back off.
Damn this SELinux stuff is complicated, why am I not seeing this with default SELinux targetted policy? type=AVC msg=audit(1199823707.886:640): avc: denied { read } for pid=3650 comm="cryptsetup" path="pipe:[14145]" dev=pipefs ino=14145 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1199823707.886:640): avc: denied { siginh } for pid=3650 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1199823707.886:640): avc: denied { rlimitinh } for pid=3650 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1199823707.886:640): avc: denied { noatsecure } for pid=3650 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1199823707.886:640): arch=c000003e syscall=59 success=yes exit=0 a0=8cf280 a1=8ce8a0 a2=8cf460 a3=65 items=0 ppid=3645 pid=3650 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:lvm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1199823707.910:641): avc: denied { read } for pid=3651 comm="cryptsetup" path="pipe:[14145]" dev=pipefs ino=14145 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1199823707.910:641): avc: denied { write } for pid=3651 comm="cryptsetup" path="pipe:[14146]" dev=pipefs ino=14146 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1199823707.910:641): avc: denied { siginh } for pid=3651 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1199823707.910:641): avc: denied { rlimitinh } for pid=3651 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1199823707.910:641): avc: denied { noatsecure } for pid=3651 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1199823707.910:641): arch=c000003e syscall=59 success=yes exit=0 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=3645 pid=3651 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:lvm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1199823708.436:642): avc: denied { read } for pid=3667 comm="cryptsetup" path="pipe:[14145]" dev=pipefs ino=14145 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1199823708.436:642): avc: denied { write } for pid=3667 comm="cryptsetup" path="pipe:[14146]" dev=pipefs ino=14146 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1199823708.436:642): avc: denied { siginh } for pid=3667 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1199823708.436:642): avc: denied { rlimitinh } for pid=3667 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1199823708.436:642): avc: denied { noatsecure } for pid=3667 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
Because they are dontaudited, meaning that most of the time the code does not need these privs but asks for them anyways. If you create a module off of these AVC's doew the mount work in enforcing mode?
Yeeha, that worked, finally :) This is what I did: # semodule -b /usr/share/selinux/targeted/enableaudit.pp reboot try to login via gdm (fails) login via tty (success), login via gdm (success) grep crypt /var/log/audit/audit.log|grep -i denied|audit2allow -M mycrypt semodule -i mycrypt.pp reboot login via gdm (succes!) # cat mycrypt.te module mycrypt 1.0; require { type hald_t; type device_t; type mount_t; type lvm_exec_t; type lvm_t; type xdm_t; class process { siginh noatsecure rlimitinh }; class blk_file getattr; class file { read execute getattr execute_no_trans }; class fifo_file { read write getattr }; } #============= hald_t ============== allow hald_t device_t:blk_file getattr; #============= lvm_t ============== allow lvm_t xdm_t:fifo_file { read write }; #============= mount_t ============== allow mount_t lvm_exec_t:file { read execute getattr execute_no_trans }; allow mount_t lvm_t:process { siginh rlimitinh noatsecure }; allow mount_t self:fifo_file getattr; Thank you for your support!