Bug 507832 - setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "ipc_lock" devicekit_disk_t.
Summary: setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "ipc...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:000c1846852...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-24 13:12 UTC by Tom London
Modified: 2009-06-25 13:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-06-25 13:42:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
devicekit_disk_t AVCs from plugging in LUKS encrypted USB drive (7.60 KB, text/plain)
2009-06-24 13:18 UTC, Tom London 		no flags Details
View All

Description Tom London 2009-06-24 13:12:38 UTC 
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing cryptsetup (devicekit_disk_t) "ipc_lock" devicekit_disk_t.

Detailed Description:

SELinux denied access requested by cryptsetup. It is not expected that this
access is required by cryptsetup and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
Target Context                system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        cryptsetup
Source Path                   /sbin/cryptsetup
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           cryptsetup-luks-1.0.7-0.1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.19-2.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-0.24.rc0.git18.fc12.x86_64 #1 SMP Mon Jun
                              22 16:26:38 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 24 Jun 2009 06:10:53 AM PDT
Last Seen                     Wed 24 Jun 2009 06:10:53 AM PDT
Local ID                      366f0266-fea8-4bb8-9955-463c94d45479
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1245849053.31:22): avc:  denied  { ipc_lock } for  pid=2470 comm="cryptsetup" capability=14 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability

node=(removed) type=SYSCALL msg=audit(1245849053.31:22): arch=c000003e syscall=151 success=yes exit=0 a0=3 a1=0 a2=7fff1a548f70 a3=28 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= devicekit_disk_t ==============
allow devicekit_disk_t self:capability ipc_lock;
Comment 1 Tom London 2009-06-24 13:17:44 UTC 
This is the first of a series of AVCs generated by plugging in a USB hard drive with a LUKS encrypted ext4 partition.

Here are the /var/log/messages for the rest:

Jun 24 06:10:55 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "ipc_lock" devicekit_disk_t. For complete SELinux messages. run sealert -l 366f0266-fea8-4bb8-9955-463c94d45479
Jun 24 06:10:57 tlondon kernel: EXT4-fs (dm-2): barriers enabled
Jun 24 06:10:58 tlondon kernel: kjournald2 starting: pid 2556, dev dm-2:8, commit interval 5 seconds
Jun 24 06:10:58 tlondon kernel: EXT4-fs (dm-2): internal journal on dm-2:8
Jun 24 06:10:58 tlondon kernel: EXT4-fs (dm-2): delayed allocation enabled
Jun 24 06:10:58 tlondon kernel: EXT4-fs: file extents enabled
Jun 24 06:10:58 tlondon kernel: EXT4-fs: mballoc enabled
Jun 24 06:10:58 tlondon kernel: EXT4-fs (dm-2): mounted filesystem with ordered data mode
Jun 24 06:11:01 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read" proc_t. For complete SELinux messages. run sealert -l 867ff008-a68c-49e4-ba6b-446593f21b04
Jun 24 06:11:02 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read" proc_t. For complete SELinux messages. run sealert -l 867ff008-a68c-49e4-ba6b-446593f21b04
Jun 24 06:11:02 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "getattr" proc_t. For complete SELinux messages. run sealert -l 2cfa237a-d9a0-40a9-8b37-c9be776daf08
Jun 24 06:11:02 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "getattr" lvm_control_t. For complete SELinux messages. run sealert -l 987bbe5f-b1d3-417b-92f4-0a87fa24ecb5
Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read write" lvm_control_t. For complete SELinux messages. run sealert -l 66eb5d47-a59e-4f02-a7b8-9279e964c75a
Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read write" lvm_control_t. For complete SELinux messages. run sealert -l 66eb5d47-a59e-4f02-a7b8-9279e964c75a
Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "search" debugfs_t. For complete SELinux messages. run sealert -l 0817b1b1-cb6d-497d-af73-180558193710
Jun 24 06:11:03 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "read write" lvm_control_t. For complete SELinux messages. run sealert -l 38be1ce5-3426-4c4e-9e8e-6f5fad9b9b65
Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "mknod" devicekit_disk_t. For complete SELinux messages. run sealert -l f2b5acd3-36db-4af8-a5aa-dfa98c3348c9
Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "mknod" devicekit_disk_t. For complete SELinux messages. run sealert -l f2b5acd3-36db-4af8-a5aa-dfa98c3348c9
Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "setattr" access to device temporary-cryptsetup-2470. For complete SELinux messages. run sealert -l 96d86dc6-34bb-4d41-8aa4-4851bbeee67b
Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "relabelfrom" access to device temporary-cryptsetup-2470. For complete SELinux messages. run sealert -l 0d171650-211f-4836-8a31-b842eeb6e491
Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "relabelfrom" access to device temporary-cryptsetup-2470. For complete SELinux messages. run sealert -l 0d171650-211f-4836-8a31-b842eeb6e491
Jun 24 06:11:04 tlondon setroubleshoot: SELinux is preventing cryptsetup (devicekit_disk_t) "unlink" fixed_disk_device_t. For complete SELinux messages. run sealert -l 6ef469e1-51d6-4f6f-9e74-3bd89f2d0997

The raw AVCs:
type=AVC msg=audit(1245849053.031:22): avc:  denied  { ipc_lock } for  pid=2470 comm="cryptsetup" capability=14 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1245849053.031:22): arch=c000003e syscall=151 success=yes exit=0 a0=3 a1=0 a2=7fff1a548f70 a3=28 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849053.052:23): avc:  denied  { read } for  pid=2470 comm="cryptsetup" name="devices" dev=proc ino=4026531988 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1245849053.052:23): avc:  denied  { open } for  pid=2470 comm="cryptsetup" name="devices" dev=proc ino=4026531988 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1245849053.052:23): arch=c000003e syscall=2 success=yes exit=3 a0=33da412f85 a1=0 a2=1b6 a3=238 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849053.052:24): avc:  denied  { getattr } for  pid=2470 comm="cryptsetup" path="/proc/devices" dev=proc ino=4026531988 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1245849053.052:24): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff1a547510 a2=7fff1a547510 a3=0 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849053.053:25): avc:  denied  { getattr } for  pid=2470 comm="cryptsetup" path="/dev/mapper/control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1245849053.053:25): arch=c000003e syscall=4 success=yes exit=0 a0=7fff1a547cc0 a1=7fff1a547c20 a2=7fff1a547c20 a3=10 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849053.053:26): avc:  denied  { read write } for  pid=2470 comm="cryptsetup" name="control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1245849053.053:26): avc:  denied  { open } for  pid=2470 comm="cryptsetup" name="control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1245849053.053:26): arch=c000003e syscall=2 success=yes exit=3 a0=7fff1a547cc0 a1=2 a2=a3f a3=10 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849054.062:27): avc:  denied  { search } for  pid=2470 comm="cryptsetup" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1245849054.062:27): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=c138fd03 a2=1ef4970 a3=33da412f50 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849054.396:28): avc:  denied  { read write } for  pid=2470 comm="cryptsetup" path="/dev/mapper/control" dev=tmpfs ino=1265 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1245849054.396:28): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=c138fd06 a2=1ef48a0 a3=33da412f50 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849054.397:29): avc:  denied  { mknod } for  pid=2470 comm="cryptsetup" capability=27 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1245849054.397:29): avc:  denied  { create } for  pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1245849054.397:29): arch=c000003e syscall=133 success=yes exit=0 a0=7fff1a5475c0 a1=61b0 a2=fd02 a3=ffffffe7 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849054.397:30): avc:  denied  { setattr } for  pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1245849054.397:30): arch=c000003e syscall=92 success=yes exit=0 a0=7fff1a5475c0 a1=0 a2=6 a3=ffffffe7 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849054.493:31): avc:  denied  { relabelfrom } for  pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file
type=AVC msg=audit(1245849054.493:31): avc:  denied  { relabelto } for  pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1245849054.493:31): arch=c000003e syscall=189 success=yes exit=0 a0=7fff1a5475c0 a1=3efea158d9 a2=1f03450 a3=29 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1245849055.871:32): avc:  denied  { unlink } for  pid=2470 comm="cryptsetup" name="temporary-cryptsetup-2470" dev=tmpfs ino=46244 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1245849055.871:32): arch=c000003e syscall=87 success=yes exit=0 a0=7fff1a5476a0 a1=7fff1a547610 a2=0 a3=ffffffe7 items=0 ppid=1704 pid=2470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cryptsetup" exe="/sbin/cryptsetup" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)

or


#============= devicekit_disk_t ==============
allow devicekit_disk_t debugfs_t:dir search;
allow devicekit_disk_t device_t:blk_file { relabelfrom create setattr };
allow devicekit_disk_t fixed_disk_device_t:blk_file { relabelto unlink };
allow devicekit_disk_t lvm_control_t:chr_file { read write getattr open };
allow devicekit_disk_t proc_t:file { read getattr open };
allow devicekit_disk_t self:capability { mknod ipc_lock };


Looks like the "automagic mount" worked, however.  I'll attach raw AVCs below.
Comment 2 Tom London 2009-06-24 13:18:49 UTC 
Created attachment 349235 [details]
devicekit_disk_t AVCs from plugging in LUKS encrypted USB drive
Comment 3 Tom London 2009-06-24 21:16:03 UTC 
I've relabeled as suggested in email.

If this clears up when I get home, I'll close this out.
Comment 4 Tom London 2009-06-25 13:42:29 UTC 
Yeah, relabeling "fixes" this.  

Closing....
Note You need to log in before you can comment on or make changes to this bug.