I'm pretty sure this must have been a race, since without touching anything I now see: $ dmsetup ls luks-extra (253, 5) $ ls -alZd /dev drwxr-xr-x. root root system_u:object_r:device_t:s0 /dev $ ls -alZd /dev/mapper/luks-extra /dev/dm-5 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-5 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/mapper/luks-extra $ ls -ald /dev/mapper/luks-extra /dev/dm-5 brw-rw----. 1 root disk 253, 5 2010-03-07 14:20 /dev/dm-5 brw-rw----. 1 root disk 253, 5 2010-03-07 14:20 /dev/mapper/luks-extra I had just issued: cryptsetup luksOpen /dev/sdb5 luks-extra blockdev --getsize64 /dev/mapper/luks-extra (no idea if the second command is important or not, but I didn't get/notice the selinux avc denial until afterwards, sdb is a GPT partitioned firewire800 external drive which had been already connected for quite a while [and I'd canceled the gui automount luks prompt when it popped up a few minutes earlier, soon after connecting it]) Summary: SELinux is preventing /usr/libexec/hald-probe-volume "read" access to device dm-5. Detailed Description: [hald-probe-volu has a permissive type (hald_t). This access was not denied.] SELinux has denied hald-probe-volu "read" access to device dm-5. dm-5 is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v 'dm-5'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for dm-5, you can use chcon -t SIMILAR_TYPE 'dm-5', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE 'dm-5' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Allowing Access: Attempt restorecon -v 'dm-5' or chcon -t SIMILAR_TYPE 'dm-5' Additional Information: Source Context system_u:system_r:hald_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects dm-5 [ blk_file ] Source hald-probe-volu Source Path /usr/libexec/hald-probe-volume Port <Unknown> Host (removed) Source RPM Packages hal-0.5.13-9.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-92.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name device Host Name (removed) Platform Linux (removed) 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sun 07 Mar 2010 02:20:18 PM PST Last Seen Sun 07 Mar 2010 02:20:18 PM PST Local ID dfa4e283-c82a-406c-954b-46c6af2794dc Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1268000418.464:36): avc: denied { read } for pid=3298 comm="hald-probe-volu" name="dm-5" dev=devtmpfs ino=27800 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file node=(removed) type=SYSCALL msg=audit(1268000418.464:36): arch=c000003e syscall=2 success=yes exit=128 a0=7fff4a25bc87 a1=0 a2=0 a3=8 items=0 ppid=1743 pid=3298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-volu" exe="/usr/libexec/hald-probe-volume" subj=system_u:system_r:hald_t:s0 key=(null) Hash String generated from device,hald-probe-volu,hald_t,device_t,blk_file,read audit2allow suggests: #============= hald_t ============== allow hald_t device_t:blk_file read;
If you just run cryptsetup luksOpen /dev/sdb5 luks-extra; ls -lZ /dev/dm-* What do you get for output?
Miroslav, I think we need optional_policy(` lvm_run(unconfined_usertype, unconfined_r) ')
Also lvm_run should look like interface(`lvm_run',` gen_require(` type lvm_t; type clvmd_t; ') lvm_domtrans($1) role $2 types lvm_t; role $2 types clvmd_t; modutils_run_insmod(lvm_t, $2) ')
OK, added to selinux-policy-3.6.32-100.fc12
# cryptsetup luksOpen /dev/sdb5 luks-extra; ls -lZ /dev/dm-* Enter passphrase for /dev/sdb5: Key slot 0 unlocked. brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-2 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-3 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-4 brw-------. root root system_u:object_r:device_t:s0 /dev/dm-5 # ls -lZ /dev/dm-* brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-2 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-3 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-4 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-5
I see this error also on a crypt filesystem mounted via pam-mount (i.e. <volume fstype="crypt" ... /> in /etc/security/pam_mount.conf.xml). I'll note that before I added option="fsck" I did not see this error. Not sure if that's related.
selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
I wonder if the fixed policy package CAUSED the same error to appear for me? At least I am seeing selinux warnings for some time now and the reporting tool now brought me here. Not exactly sure what causes the problem for me but I use LUKS as well...
Michael please attach the output from the troubleshooter
I upgraded to the policy packages in updates-testing (-108) and have not seen the problem since.
So... this just happened to me once again, and once again when I look at the file the context is correct, so it looks like it is a race condition. Note that this is with -108. Now upgrading to -110. Summary: SELinux is preventing /usr/libexec/hald-probe-volume "read" access to device dm-5. Detailed Description: SELinux has denied hald-probe-volu "read" access to device dm-5. dm-5 is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v 'dm-5'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for dm-5, you can use chcon -t SIMILAR_TYPE 'dm-5', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE 'dm-5' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Allowing Access: Attempt restorecon -v 'dm-5' or chcon -t SIMILAR_TYPE 'dm-5' Additional Information: Source Context system_u:system_r:hald_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects dm-5 [ blk_file ] Source hald-probe-volu Source Path /usr/libexec/hald-probe-volume Port <Unknown> Host (removed) Source RPM Packages hal-0.5.13-9.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-108.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name device Host Name (removed) Platform Linux nike 2.6.32.10-88.fc12.x86_64 #1 SMP Sat Mar 20 01:25:13 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 16 Apr 2010 10:36:48 AM PDT Last Seen Fri 16 Apr 2010 10:36:48 AM PDT Local ID 91cf5a80-abb3-45b4-b1ff-f8808814a1cd Line Numbers Raw Audit Messages node=nike type=AVC msg=audit(1271439408.17:13149): avc: denied { read } for pid=4635 comm="hald-probe-volu" name="dm-5" dev=devtmpfs ino=282028235 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file node=nike type=SYSCALL msg=audit(1271439408.17:13149): arch=c000003e syscall=2 success=no exit=-13 a0=7ffff315fcf4 a1=0 a2=0 a3=8 items=0 ppid=1757 pid=4635 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-volu" exe="/usr/libexec/hald-probe-volume" subj=system_u:system_r:hald_t:s0 key=(null)
Miroslav F13 has dev_manage_generic_blk_files(hald_t)
It was fixed in selinux-policy-3.6.32-109.fc12. Maciej, jut run yum update selinux-policy-targeted