Description of problem: SELinux is preventing login (ecryptfs pam module) read sysfs_t. Ecryptfs pam module needs to read /sys/fs/ecryptfs/version to check what modes are supported by kernel module. Ecryptfs pam module (pam_ecryptfs.so) is used for login auto-mounting of encrypted directory. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.12-34.fc11.noarch ecryptfs-utils-75-1.fc11.x86_64 How reproducible: always Steps to Reproduce: 1.use ecryptfs-setup-private 2.change /etc/pam.d/system-auth (see bug #479727 comment #4) 3.create some file under ~/Private 3.ecryptfs-umount-private 4.logout 5.login 6.ls ~/Private Actual results: file names are not decrypted, because pam module thinks file name encryption is not supported by kernel Expected results: file names decrypted Additional info: Source Context: system_u:system_r:local_login_t:s0-s0:c0.c1023Target Context: system_u:object_r:sysfs_t:s0Target Objects: version [ file ]Source: loginSource Path: <Unknown>Port: <Unknown>Host: dhcp-lab-102.englab.brq.redhat.comSource RPM Packages: util-linux-ng-2.14.2-8.fc11Target RPM Packages: Policy RPM: selinux-policy-3.6.12-34.fc11Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: catchallHost Name: dhcp-lab-102.englab.brq.redhat.comPlatform: Linux dhcp-lab-102.englab.brq.redhat.com 2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 12 10:44:27 EDT 2009 x86_64 x86_64Alert Count: 14First Seen: Thu 21 May 2009 03:59:52 PM CESTLast Seen: Mon 25 May 2009 01:13:42 PM CESTLocal ID: aa5f097d-d833-4ff5-a900-d285e25b2f69Line Numbers: Raw Audit Messages :node=dhcp-lab-102.englab.brq.redhat.com type=AVC msg=audit(1243250022.69:16): avc: denied { read } for pid=1385 comm="login" name="version" dev=sysfs ino=7502 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file node=dhcp-lab-102.englab.brq.redhat.com type=AVC msg=audit(1243250022.69:16): avc: denied { open } for pid=1385 comm="login" name="version" dev=sysfs ino=7502 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file node=dhcp-lab-102.englab.brq.redhat.com type=SYSCALL msg=audit(1243250022.69:16): arch=c000003e syscall=2 success=yes exit=4 a0=1885730 a1=0 a2=0 a3=8 items=0 ppid=1 pid=1385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.12-42.fc11.noarch
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping