The following was filed automatically by setroubleshoot: Summary: SELinux is preventing cryptsetup (devicekit_disk_t) "ipc_lock" devicekit_disk_t. Detailed Description: SELinux denied access requested by cryptsetup. It is not expected that this access is required by cryptsetup and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 Target Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source cryptsetup Source Path /sbin/cryptsetup Port <Unknown> Host (removed) Source RPM Packages cryptsetup-luks-1.0.7-0.1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.19-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31-0.24.rc0.git18.fc12.x86_64 #1 SMP Mon Jun 22 16:26:38 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Wed 24 Jun 2009 06:10:53 AM PDT Last Seen Wed 24 Jun 2009 06:10:53 AM PDT Local ID 366f0266-fea8-4bb8-9955-463c94d45479 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1245849053.31:22): avc: denied { ipc_lock } for pid=2470 comm="cryptsetup" capability=14 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability node=(removed) type=SYSCALL msg=audit(1245849053.31:22): arch=c000003e syscall=151 success=yes exit=0 a0=3 a1=0 a2=7fff1a548f70 a3=28 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) audit2allow suggests: #============= devicekit_disk_t ============== allow devicekit_disk_t self:capability ipc_lock;
This is the first of a series of AVCs generated by plugging in a USB hard drive with a LUKS encrypted ext4 partition. Here are the /var/log/messages for the rest: Jun 24 06:10:55 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "ipc_lock" devicekit_disk_t. For complete SELinux messages. run sealert -l 366f0266-fea8-4bb8-9955-463c94d45479 Jun 24 06:10:57 tlondon kernel: EXT4-fs (dm-2): barriers enabled Jun 24 06:10:58 tlondon kernel: kjournald2 starting: pid 2556, dev dm-2:8, commit interval 5 seconds Jun 24 06:10:58 tlondon kernel: EXT4-fs (dm-2): internal journal on dm-2:8 Jun 24 06:10:58 tlondon kernel: EXT4-fs (dm-2): delayed allocation enabled Jun 24 06:10:58 tlondon kernel: EXT4-fs: file extents enabled Jun 24 06:10:58 tlondon kernel: EXT4-fs: mballoc enabled Jun 24 06:10:58 tlondon kernel: EXT4-fs (dm-2): mounted filesystem with ordered data mode Jun 24 06:11:01 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read" proc_t. For complete SELinux messages. run sealert -l 867ff008-a68c-49e4-ba6b-446593f21b04 Jun 24 06:11:02 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read" proc_t. For complete SELinux messages. run sealert -l 867ff008-a68c-49e4-ba6b-446593f21b04 Jun 24 06:11:02 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "getattr" proc_t. For complete SELinux messages. run sealert -l 2cfa237a-d9a0-40a9-8b37-c9be776daf08 Jun 24 06:11:02 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "getattr" lvm_control_t. For complete SELinux messages. run sealert -l 987bbe5f-b1d3-417b-92f4-0a87fa24ecb5 Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read write" lvm_control_t. For complete SELinux messages. run sealert -l 66eb5d47-a59e-4f02-a7b8-9279e964c75a Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read write" lvm_control_t. For complete SELinux messages. run sealert -l 66eb5d47-a59e-4f02-a7b8-9279e964c75a Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "search" debugfs_t. For complete SELinux messages. run sealert -l 0817b1b1-cb6d-497d-af73-180558193710 Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read write" lvm_control_t. For complete SELinux messages. run sealert -l 38be1ce5-3426-4c4e-9e8e-6f5fad9b9b65 Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "mknod" devicekit_disk_t. For complete SELinux messages. run sealert -l f2b5acd3-36db-4af8-a5aa-dfa98c3348c9 Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "mknod" devicekit_disk_t. For complete SELinux messages. run sealert -l f2b5acd3-36db-4af8-a5aa-dfa98c3348c9 Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "setattr" access to device temporary-cryptsetup-2470. For complete SELinux messages. run sealert -l 96d86dc6-34bb-4d41-8aa4-4851bbeee67b Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "relabelfrom" access to device temporary-cryptsetup-2470. For complete SELinux messages. run sealert -l 0d171650-211f-4836-8a31-b842eeb6e491 Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "relabelfrom" access to device temporary-cryptsetup-2470. For complete SELinux messages. run sealert -l 0d171650-211f-4836-8a31-b842eeb6e491 Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "unlink" fixed_disk_device_t. For complete SELinux messages. run sealert -l 6ef469e1-51d6-4f6f-9e74-3bd89f2d0997 The raw AVCs: type=AVC msg=audit(1245849053.031:22): avc: denied { ipc_lock } for pid=2470 comm="cryptsetup" capability=14 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1245849053.031:22): arch=c000003e syscall=151 success=yes exit=0 a0=3 a1=0 a2=7fff1a548f70 a3=28 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849053.052:23): avc: denied { read } for pid=2470 comm="cryptsetup" name="devices" dev=proc ino=4026531988 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1245849053.052:23): avc: denied { open } for pid=2470 comm="cryptsetup" name="devices" dev=proc ino=4026531988 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1245849053.052:23): arch=c000003e syscall=2 success=yes exit=3 a0=33da412f85 a1=0 a2=1b6 a3=238 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849053.052:24): avc: denied { getattr } for pid=2470 comm="cryptsetup" path="/proc/devices" dev=proc ino=4026531988 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1245849053.052:24): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff1a547510 a2=7fff1a547510 a3=0 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849053.053:25): avc: denied { getattr } for pid=2470 comm="cryptsetup" path="/dev/mapper/control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=SYSCALL msg=audit(1245849053.053:25): arch=c000003e syscall=4 success=yes exit=0 a0=7fff1a547cc0 a1=7fff1a547c20 a2=7fff1a547c20 a3=10 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849053.053:26): avc: denied { read write } for pid=2470 comm="cryptsetup" name="control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=AVC msg=audit(1245849053.053:26): avc: denied { open } for pid=2470 comm="cryptsetup" name="control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=SYSCALL msg=audit(1245849053.053:26): arch=c000003e syscall=2 success=yes exit=3 a0=7fff1a547cc0 a1=2 a2=a3f a3=10 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849054.062:27): avc: denied { search } for pid=2470 comm="cryptsetup" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir type=SYSCALL msg=audit(1245849054.062:27): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=c138fd03 a2=1ef4970 a3=33da412f50 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849054.396:28): avc: denied { read write } for pid=2470 comm="cryptsetup" path="/dev/mapper/control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=SYSCALL msg=audit(1245849054.396:28): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=c138fd06 a2=1ef48a0 a3=33da412f50 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849054.397:29): avc: denied { mknod } for pid=2470 comm="cryptsetup" capability=27 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1245849054.397:29): avc: denied { create } for pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1245849054.397:29): arch=c000003e syscall=133 success=yes exit=0 a0=7fff1a5475c0 a1=61b0 a2=fd02 a3=ffffffe7 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849054.397:30): avc: denied { setattr } for pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1245849054.397:30): arch=c000003e syscall=92 success=yes exit=0 a0=7fff1a5475c0 a1=0 a2=6 a3=ffffffe7 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849054.493:31): avc: denied { relabelfrom } for pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file type=AVC msg=audit(1245849054.493:31): avc: denied { relabelto } for pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1245849054.493:31): arch=c000003e syscall=189 success=yes exit=0 a0=7fff1a5475c0 a1=3efea158d9 a2=1f03450 a3=29 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1245849055.871:32): avc: denied { unlink } for pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1245849055.871:32): arch=c000003e syscall=87 success=yes exit=0 a0=7fff1a5476a0 a1=7fff1a547610 a2=0 a3=ffffffe7 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) or #============= devicekit_disk_t ============== allow devicekit_disk_t debugfs_t:dir search; allow devicekit_disk_t device_t:blk_file { relabelfrom create setattr }; allow devicekit_disk_t fixed_disk_device_t:blk_file { relabelto unlink }; allow devicekit_disk_t lvm_control_t:chr_file { read write getattr open }; allow devicekit_disk_t proc_t:file { read getattr open }; allow devicekit_disk_t self:capability { mknod ipc_lock }; Looks like the "automagic mount" worked, however. I'll attach raw AVCs below.
Created attachment 349235 [details] devicekit_disk_t AVCs from plugging in LUKS encrypted USB drive
I've relabeled as suggested in email. If this clears up when I get home, I'll close this out.
Yeah, relabeling "fixes" this. Closing....