Bug 418711 - latest selinux-policy prevents mount.crypt form accessing cryptsetup
Summary: latest selinux-policy prevents mount.crypt form accessing cryptsetup
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: x86_64
OS: Linux
low
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-10 20:01 UTC by Jeroen Beerstra
Modified: 2008-01-14 18:14 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-14 18:14:22 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jeroen Beerstra 2007-12-10 20:01:27 UTC
Description of problem:


Version-Release number of selected component (if applicable):

selinux-policy-2.6.4-59.fc7
cryptsetup-luks-1.0.5-4.fc7.1
pam_mount-0.18-1.fc7

How reproducible:


Steps to Reproduce:
1. setup an encrypted home via pam_mount
2. reboot
3. login via gdm
  
Actual results:

Graphical login not possible, strangely though text mode login does work and
after that I can login via gdm as usual!?

Expected results:

I should be able to login right away just like before the selinux-policy upgrade.

Additional info:

Summary

SELinux prevented mount.crypt from mounting on the file or directory
"cryptsetup" (type "lvm_exec_t").

Detailed Description

SELinux prevented mount.crypt from mounting a filesystem on the file or
directory "cryptsetup" of type "lvm_exec_t". By default SELinux limits the
mounting of filesystems to only some files or directories (those with types that
have the mountpoint attribute). The type "lvm_exec_t" does not have this
attribute. You can either relabel the file or directory or set the boolean
"allow_mount_anyfile" to true to allow mounting on any file or directory.

Allowing Access

Changing the "allow_mount_anyfile" boolean to true will allow this access:
"setsebool -P allow_mount_anyfile=1."

The following command will allow this access:

setsebool -P allow_mount_anyfile=1Additional InformationSource 

Context:  system_u:system_r:mount_t:SystemLow-SystemHighTarget 
Context:  system_u:object_r:lvm_exec_tTarget Objects:  cryptsetup [ file
]Affected RPM Packages:  Policy RPM:  selinux-policy-2.6.4-59.fc7Selinux
Enabled:  TruePolicy Type:  targeted

Comment 1 Jeroen Beerstra 2007-12-10 20:03:33 UTC
The fix form Bug 386231 does not seem to work:

# grep lvm_exec_t /var/log/audit/audit.log | audit2allow -M mylvm
# semodule -i mylvm.pp

Comment 2 Daniel Walsh 2007-12-12 16:04:28 UTC
What avc messages are you seeing?

Comment 3 Jeroen Beerstra 2007-12-12 22:08:48 UTC
Hope this helps:

type=USER_END msg=audit(1197395091.348:20): user pid=2665 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: session close acct=root :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ERR msg=audit(1197395108.390:21): user pid=3290 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct=? :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)'
type=USER_AUTH msg=audit(1197395174.711:22): user pid=3368 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=jeroen
: exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1197395174.715:23): user pid=3368 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1197395174.716:24): user pid=3368 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1197395174.720:25): login pid=3368 uid=0 old
auid=4294967295 new auid=500
type=AVC msg=audit(1197395174.876:26): avc:  denied  { getattr } for  pid=3404
comm="mount.crypt" path="pipe:[13681]" dev=pipefs ino=13681
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395174.876:26): arch=c000003e syscall=5 success=no
exit=-13 a0=1 a1=7fff4e34a340 a2=7fff4e34a340 a3=3e2c34c9d0 items=0 ppid=3403
pid=3404 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395174.884:27): avc:  denied  { getattr } for  pid=3406
comm="mount.crypt" path="pipe:[13683]" dev=pipefs ino=13683
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395174.884:27): arch=c000003e syscall=5 success=no
exit=-13 a0=1 a1=7fff4e349810 a2=7fff4e349810 a3=8 items=0 ppid=3405 pid=3406
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="mount.crypt" exe="/bin/bash"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395174.887:28): avc:  denied  { getattr } for  pid=3407
comm="sed" path="pipe:[13683]" dev=pipefs ino=13683
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395174.887:28): arch=c000003e syscall=5 success=no
exit=-13 a0=0 a1=7fff6b1c8740 a2=7fff6b1c8740 a3=3e2c34c9d0 items=0 ppid=3405
pid=3407 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sed" exe="/bin/sed"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395174.887:29): avc:  denied  { getattr } for  pid=3407
comm="sed" path="pipe:[13682]" dev=pipefs ino=13682
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395174.887:29): arch=c000003e syscall=5 success=no
exit=-13 a0=1 a1=7fff6b1c8710 a2=7fff6b1c8710 a3=6178a0 items=0 ppid=3405
pid=3407 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sed" exe="/bin/sed"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395174.893:30): avc:  denied  { execute_no_trans } for 
pid=3408 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395174.893:30): arch=c000003e syscall=59 success=no
exit=-13 a0=8cf280 a1=8ce8a0 a2=8cf460 a3=65 items=0 ppid=3403 pid=3408 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395174.895:31): avc:  denied  { read } for  pid=3408
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395174.895:31): arch=c000003e syscall=21 success=no
exit=-13 a0=8cf280 a1=4 a2=0 a3=65 items=0 ppid=3403 pid=3408 auid=500 uid=0
gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395174.896:32): avc:  denied  { read } for  pid=3408
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395174.896:32): arch=c000003e syscall=2 success=no
exit=-13 a0=8cf280 a1=0 a2=43 a3=65 items=0 ppid=3403 pid=3408 auid=500 uid=0
gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395174.899:33): avc:  denied  { execute_no_trans } for 
pid=3409 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395174.899:33): arch=c000003e syscall=59 success=no
exit=-13 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=3403 pid=3409
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="mount.crypt" exe="/bin/bash"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395174.901:34): avc:  denied  { read } for  pid=3409
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395174.901:34): arch=c000003e syscall=21 success=no
exit=-13 a0=8cbd80 a1=4 a2=0 a3=3e2c34c9d0 items=0 ppid=3403 pid=3409 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395174.902:35): avc:  denied  { read } for  pid=3409
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395174.902:35): arch=c000003e syscall=2 success=no
exit=-13 a0=8cbd80 a1=0 a2=43 a3=3e2c34c9d0 items=0 ppid=3403 pid=3409 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=USER_START msg=audit(1197395174.943:36): user pid=3368 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=failed)'
type=CRED_DISP msg=audit(1197395177.145:37): user pid=3368 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_AUTH msg=audit(1197395190.951:38): user pid=3284 uid=0 auid=4294967295
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_ACCT msg=audit(1197395190.951:39): user pid=3284 uid=0 auid=4294967295
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting
acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=LOGIN msg=audit(1197395190.958:40): login pid=3284 uid=0 old
auid=4294967295 new auid=0
type=USER_ROLE_CHANGE msg=audit(1197395191.201:41): user pid=3284 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam:
default-context=root:system_r:unconfined_t:s0-s0:c0.c1023
selected-context=root:system_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login"
(hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_START msg=audit(1197395191.715:42): user pid=3284 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open
acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=CRED_ACQ msg=audit(1197395191.715:43): user pid=3284 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root
: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_LOGIN msg=audit(1197395191.783:44): user pid=3284 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=0: exe="/bin/login"
(hostname=?, addr=?, terminal=tty1 res=success)'
type=AVC msg=audit(1197395303.101:45): avc:  denied  { write } for  pid=5183
comm="depmod" path="/var/log/vbox-install.log" dev=dm-5 ino=3277003
scontext=root:system_r:depmod_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1197395303.101:45): avc:  denied  { write } for  pid=5183
comm="depmod" path="/var/log/vbox-install.log" dev=dm-5 ino=3277003
scontext=root:system_r:depmod_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1197395303.101:45): arch=c000003e syscall=59 success=yes
exit=0 a0=8ca300 a1=8c8220 a2=8ca620 a3=8 items=0 ppid=5180 pid=5183 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="depmod"
exe="/sbin/depmod" subj=root:system_r:depmod_t:s0 key=(null)
type=CRED_DISP msg=audit(1197395309.375:46): user pid=3284 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root
: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_END msg=audit(1197395309.532:47): user pid=3284 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session close
acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_AUTH msg=audit(1197395317.210:48): user pid=3368 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=jeroen
: exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1197395317.215:49): user pid=3368 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1197395317.217:50): user pid=3368 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1197395317.226:51): login pid=3368 uid=0 old auid=500 new
auid=500
type=AVC msg=audit(1197395317.253:52): avc:  denied  { getattr } for  pid=5231
comm="mount.crypt" path="pipe:[16932]" dev=pipefs ino=16932
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395317.253:52): arch=c000003e syscall=5 success=no
exit=-13 a0=1 a1=7fff6cb05b00 a2=7fff6cb05b00 a3=3e2c34c9d0 items=0 ppid=5230
pid=5231 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="mount.crypt" exe="/bin/bash"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395317.261:53): avc:  denied  { getattr } for  pid=5233
comm="mount.crypt" path="pipe:[16934]" dev=pipefs ino=16934
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395317.261:53): arch=c000003e syscall=5 success=no
exit=-13 a0=1 a1=7fff6cb04fd0 a2=7fff6cb04fd0 a3=8 items=0 ppid=5232 pid=5233
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="mount.crypt" exe="/bin/bash"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395317.266:54): avc:  denied  { getattr } for  pid=5234
comm="sed" path="pipe:[16934]" dev=pipefs ino=16934
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395317.266:54): arch=c000003e syscall=5 success=no
exit=-13 a0=0 a1=7ffffb5eeb70 a2=7ffffb5eeb70 a3=3e2c34c9d0 items=0 ppid=5232
pid=5234 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sed" exe="/bin/sed"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395317.268:55): avc:  denied  { getattr } for  pid=5234
comm="sed" path="pipe:[16933]" dev=pipefs ino=16933
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1197395317.268:55): arch=c000003e syscall=5 success=no
exit=-13 a0=1 a1=7ffffb5eeb40 a2=7ffffb5eeb40 a3=6178a0 items=0 ppid=5232
pid=5234 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=(none) comm="sed" exe="/bin/sed"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395317.271:56): avc:  denied  { execute_no_trans } for 
pid=5235 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395317.271:56): arch=c000003e syscall=59 success=no
exit=-13 a0=8cf280 a1=8ce8a0 a2=8cf460 a3=65 items=0 ppid=5230 pid=5235 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395317.272:57): avc:  denied  { read } for  pid=5235
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395317.272:57): arch=c000003e syscall=21 success=no
exit=-13 a0=8cf280 a1=4 a2=0 a3=65 items=0 ppid=5230 pid=5235 auid=500 uid=0
gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395317.274:58): avc:  denied  { read } for  pid=5235
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395317.274:58): arch=c000003e syscall=2 success=no
exit=-13 a0=8cf280 a1=0 a2=43 a3=65 items=0 ppid=5230 pid=5235 auid=500 uid=0
gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395317.277:59): avc:  denied  { execute_no_trans } for 
pid=5236 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395317.277:59): arch=c000003e syscall=59 success=no
exit=-13 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=5230 pid=5236
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="mount.crypt" exe="/bin/bash"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197395317.277:60): avc:  denied  { read } for  pid=5236
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395317.277:60): arch=c000003e syscall=21 success=no
exit=-13 a0=8cbd80 a1=4 a2=0 a3=3e2c34c9d0 items=0 ppid=5230 pid=5236 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197395317.277:61): avc:  denied  { read } for  pid=5236
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1197395317.277:61): arch=c000003e syscall=2 success=no
exit=-13 a0=8cbd80 a1=0 a2=43 a3=3e2c34c9d0 items=0 ppid=5230 pid=5236 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=USER_START msg=audit(1197395317.293:62): user pid=3368 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=failed)'
type=CRED_DISP msg=audit(1197395317.996:63): user pid=3368 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'

Comment 4 Jeroen Beerstra 2007-12-20 20:52:24 UTC
Any thoughs on this one, I can work around it for now but it's rather frustrating...

Comment 5 Daniel Walsh 2007-12-21 07:38:24 UTC
Fixed in selinux-policy-2.6.4-64.fc7

Comment 6 Jeroen Beerstra 2007-12-26 20:02:08 UTC
I'm sorry but where do I find this? Can't find it in fedora updates testing..

Comment 7 Daniel Walsh 2007-12-27 01:30:19 UTC
66 should be showing up in Fedora Testing.

You can grab it from 

http://people.fedoraproject.org/~dwalsh/SELinux/F7


Comment 8 Jeroen Beerstra 2007-12-27 14:36:40 UTC
Actually you have 61 on your website, anyway with a little help from google I
found and installed the 66 release for F7. The problem still occurs though :(

$ rpm -qa|grep selinux-policy
selinux-policy-strict-2.6.4-66.fc7
selinux-policy-2.6.4-66.fc7
selinux-policy-targeted-2.6.4-66.fc7
selinux-policy-mls-2.6.4-66.fc7

latest entries from "grep crypt /var/log/audit/audit.log":

type=AVC msg=audit(1198765671.631:41): avc:  denied  { execute_no_trans } for 
pid=3557 comm="mount.crypt" path="/sbin/cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1198765671.631:41): arch=c000003e syscall=59 success=no
exit=-13 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=3551 pid=3557
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="mount.crypt" exe="/bin/bash"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1198765671.633:42): avc:  denied  { read } for  pid=3557
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1198765671.633:42): arch=c000003e syscall=21 success=no
exit=-13 a0=8cbd80 a1=4 a2=0 a3=3e2c34c9d0 items=0 ppid=3551 pid=3557 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1198765671.634:43): avc:  denied  { read } for  pid=3557
comm="mount.crypt" name="cryptsetup" dev=sda1 ino=162912
scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1198765671.634:43): arch=c000003e syscall=2 success=no
exit=-13 a0=8cbd80 a1=0 a2=43 a3=3e2c34c9d0 items=0 ppid=3551 pid=3557 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="mount.crypt" exe="/bin/bash" subj=system_u:system_r:mount_t:s0-s0:c0.c1023
key=(null)

Comment 9 Daniel Walsh 2007-12-31 15:03:32 UTC
Ok lets try

Fixed in selinux-policy-2.6.4-67.fc7

Comment 10 Jeroen Beerstra 2008-01-02 13:17:49 UTC
Nope still doesn't work :(

Any idea why a gdm login doesn't work, but normal tty login does (after which
gdm login also works)?

$ rpm -qa|grep selinux-policy
selinux-policy-mls-2.6.4-67.fc7
selinux-policy-strict-2.6.4-67.fc7
selinux-policy-2.6.4-67.fc7
selinux-policy-targeted-2.6.4-67.fc7

type=USER_START msg=audit(1199279351.530:12): user pid=2257 uid=0
auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session open
acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_ACQ msg=audit(1199279351.530:13): user pid=2257 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_DISP msg=audit(1199279352.227:14): user pid=2257 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_END msg=audit(1199279352.228:15): user pid=2257 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: session close acct=root :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1199279358.745:16): user pid=2673 uid=0
auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
msg='printer=Stylus_COLOR_880 uri=usb://EPSON/Stylus%20COLOR%20880
banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=neo.lokaal.net,
addr=192.168.1.44, terminal=? res=success)'
type=USER_START msg=audit(1199279359.705:17): user pid=2743 uid=0
auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session open
acct=root : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_ACQ msg=audit(1199279359.705:18): user pid=2743 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_DISP msg=audit(1199279361.438:19): user pid=2743 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct=root :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_END msg=audit(1199279361.438:20): user pid=2743 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: session close acct=root :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ERR msg=audit(1199279377.676:21): user pid=3432 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct=? :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)'
type=USER_AUTH msg=audit(1199279390.896:22): user pid=3509 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=jeroen
: exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1199279390.900:23): user pid=3509 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1199279390.901:24): user pid=3509 uid=0 auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1199279390.905:25): login pid=3509 uid=0 old
auid=4294967295 new auid=500
type=USER_START msg=audit(1199279391.678:26): user pid=3509 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=jeroen :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=failed)'

Comment 11 Daniel Walsh 2008-01-03 18:35:45 UTC
The audit messages you patched do not report any problems.  Take a look at
/var/log/secure.  

I don't think this is an SELinux problem any longer.



Comment 12 Jeroen Beerstra 2008-01-03 20:21:33 UTC
This one is making me confused, pam_mount for login should be exactly the same
as for gdm. Anyway to make it interesting for you again, besides first loging in
via tty, setenforce 0 also works....

This is what pam_mount reports in /var/log/secure with debug=1, dutch for
unknown filesystem that is.

Jan  3 21:11:30 neo gdm[3450]: pam_mount(mount.c:100) mount: u moet de
bestandssysteem soort aangeven
Jan  3 21:11:30 neo gdm[3450]: pam_mount(mount.c:100) mount.crypt: error
mounting _dev_Goliath_jeroen
Jan  3 21:11:31 neo gdm[3450]: pam_mount(mount.c:854) waiting for mount
Jan  3 21:11:31 neo gdm[3450]: pam_mount(pam_mount.c:478) mount of
/dev/Goliath/jeroen failed


Comment 13 Jeroen Beerstra 2008-01-08 13:54:09 UTC
any thoughts on this one, I know there should be AVC denials, but turning off
enforcing mode really does make the problem go away...

Comment 14 Daniel Walsh 2008-01-08 19:46:37 UTC
You can enableaudit messages by executing

semodule -b /usr/share/selinux/enableaudit.pp

Then run the test and see if this gets any messages.

semodule -b /usr/share/selinux/base.pp
will turn it back off.

Comment 15 Jeroen Beerstra 2008-01-08 20:29:20 UTC
Damn this SELinux stuff is complicated, why am I not seeing this with default
SELinux targetted policy?

type=AVC msg=audit(1199823707.886:640): avc:  denied  { read } for  pid=3650
comm="cryptsetup" path="pipe:[14145]" dev=pipefs ino=14145
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1199823707.886:640): avc:  denied  { siginh } for  pid=3650
comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1199823707.886:640): avc:  denied  { rlimitinh } for 
pid=3650 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1199823707.886:640): avc:  denied  { noatsecure } for 
pid=3650 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1199823707.886:640): arch=c000003e syscall=59 success=yes
exit=0 a0=8cf280 a1=8ce8a0 a2=8cf460 a3=65 items=0 ppid=3645 pid=3650 auid=500
uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none)
comm="cryptsetup" exe="/sbin/cryptsetup"
subj=system_u:system_r:lvm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1199823707.910:641): avc:  denied  { read } for  pid=3651
comm="cryptsetup" path="pipe:[14145]" dev=pipefs ino=14145
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1199823707.910:641): avc:  denied  { write } for  pid=3651
comm="cryptsetup" path="pipe:[14146]" dev=pipefs ino=14146
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1199823707.910:641): avc:  denied  { siginh } for  pid=3651
comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1199823707.910:641): avc:  denied  { rlimitinh } for 
pid=3651 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1199823707.910:641): avc:  denied  { noatsecure } for 
pid=3651 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1199823707.910:641): arch=c000003e syscall=59 success=yes
exit=0 a0=8cbd80 a1=8ce6c0 a2=8cf460 a3=3e2c34c9d0 items=0 ppid=3645 pid=3651
auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=(none) comm="cryptsetup" exe="/sbin/cryptsetup"
subj=system_u:system_r:lvm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1199823708.436:642): avc:  denied  { read } for  pid=3667
comm="cryptsetup" path="pipe:[14145]" dev=pipefs ino=14145
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1199823708.436:642): avc:  denied  { write } for  pid=3667
comm="cryptsetup" path="pipe:[14146]" dev=pipefs ino=14146
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1199823708.436:642): avc:  denied  { siginh } for  pid=3667
comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1199823708.436:642): avc:  denied  { rlimitinh } for 
pid=3667 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1199823708.436:642): avc:  denied  { noatsecure } for 
pid=3667 comm="cryptsetup" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tclass=process


Comment 16 Daniel Walsh 2008-01-11 20:29:17 UTC
Because they are dontaudited, meaning that most of the time the code does not
need these privs but asks for them anyways.

If you create a module off of these AVC's doew the mount work in enforcing mode?



Comment 17 Jeroen Beerstra 2008-01-12 11:17:02 UTC
Yeeha, that worked, finally :)

This is what I did:

# semodule -b /usr/share/selinux/targeted/enableaudit.pp

reboot

try to login via gdm (fails) login  via tty (success), login via gdm (success)

grep crypt /var/log/audit/audit.log|grep -i denied|audit2allow -M mycrypt
semodule -i mycrypt.pp

reboot

login via gdm (succes!)

# cat mycrypt.te

module mycrypt 1.0;

require {
        type hald_t;
        type device_t;
        type mount_t;
        type lvm_exec_t;
        type lvm_t;
        type xdm_t;
        class process { siginh noatsecure rlimitinh };
        class blk_file getattr;
        class file { read execute getattr execute_no_trans };
        class fifo_file { read write getattr };
}

#============= hald_t ==============
allow hald_t device_t:blk_file getattr;

#============= lvm_t ==============
allow lvm_t xdm_t:fifo_file { read write };

#============= mount_t ==============
allow mount_t lvm_exec_t:file { read execute getattr execute_no_trans };
allow mount_t lvm_t:process { siginh rlimitinh noatsecure };
allow mount_t self:fifo_file getattr;

Thank you for your support!


Note You need to log in before you can comment on or make changes to this bug.