Hide Forgot
libreport version: 2.0.7 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.2-1.fc16.i686 reason: SELinux is preventing /sbin/modprobe from 'read' accesses on the file /lib/modules/3.1.2-1.fc16.i686/kernel/fs/ecryptfs/ecryptfs.ko. time: Sat 26 Nov 2011 20:35:54 CET description: Text file, 2866 bytes
Created attachment 536892 [details] File: description
After having set up a ~/Private directory with ecryptfs-setup-private and having enabled mount-on-login with authconfig --enableecryptfs --updateall, I have the strange behavior that on the first login after a reboot, ~/Private is mounted but not decrypted (ecryptfs is per file+filename, so you can still see the presence of encrypted files) and only after logging out and in again is it properly mounted decrypted. This behavior does not arise with SELinux in permissive mode. I have things like ~/.mozilla symlinked to ~/Private so if it doesn't mount properly Firefox and other things don't work.
Dag, could you try ecryptfs with changes which I described in the https://bugzilla.redhat.com/show_bug.cgi?id=712048#c17
I tried that, and after rebooting with SELinux in enforcing mode, it still didn't work.
Ok, what AVC are you getting in permissive mode? It was working for me.
You're right I'm not getting any AVC denials, so perhaps the issue is unrelated to this bug. I recall reading somewhere SELinux might cause a race condition loading the ecryptfs module or something like that?
Actually, with aureport --avc I see things like this: 204. 20/01/12 00:29:01 umount.ecryptfs system_u:system_r:mount_t:s0-s0:c0.c1023 288 key write unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 denied 172 But only with SElinux in Enforcing mode I think.
what does # ausearch -m user_avc
$ sudo ausearch -m user_avc ---- time->Mon Oct 17 22:33:09 2011 type=USER_AVC msg=audit(1318883589.426:125): user pid=993 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.131 spid=1001 tpid=5645 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Mon Oct 17 22:33:35 2011 type=USER_AVC msg=audit(1318883615.465:128): user pid=993 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.131 spid=1001 tpid=5645 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Mon Oct 17 22:34:05 2011 type=USER_AVC msg=audit(1318883645.811:131): user pid=993 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.131 spid=1001 tpid=5645 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Oct 18 19:51:19 2011 type=USER_AVC msg=audit(1318960279.135:61): user pid=983 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.74 spid=992 tpid=1849 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Oct 18 19:51:39 2011 type=USER_AVC msg=audit(1318960299.017:62): user pid=983 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.74 spid=992 tpid=1849 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Oct 18 19:52:11 2011 type=USER_AVC msg=audit(1318960331.291:65): user pid=983 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.74 spid=992 tpid=1849 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Oct 18 19:52:39 2011 type=USER_AVC msg=audit(1318960359.103:68): user pid=983 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.74 spid=992 tpid=1849 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Oct 18 19:53:03 2011 type=USER_AVC msg=audit(1318960383.716:69): user pid=983 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.74 spid=992 tpid=1849 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Looks like those are allowed in selinux-policy-3.10.0-74.fc16
Name : selinux-policy Arch : noarch Version : 3.10.0 Release : 72.fc16 Not in my mirror yet?
OK I enabled updates-testing now: Name : selinux-policy Arch : noarch Version : 3.10.0 Release : 74.fc16 and rebooted with SELinux in enforcing mode, and the issue remains. To clarify: ~/Private does get mounted when I log in, but not decrypted. I see files named ECRYPTFS_BLARGH_SOMETHING_SOMETHING and such.
I should add that it no longer works to log out and back in again with SELinux in enforcing mode. Not even sudo setenforce 0 and the login dance helps. I have to actually reboot with SELinux in permissive mode or disabled. ecryptfs-mount-private doesn't do anything and ecryptfs-umount-private complains about the session still being active.
To clarify this bug. Dag, do you have installed the policy from https://bugzilla.redhat.com/show_bug.cgi?id=712048#c17
Am I supposed to test that under permissive mode? There is no bug to test in permissive mode - it already works and there are no SELinux alerts. The problem is SELinux in enforcing mode.
OK I followed the instructions while in Permissive mode and rebooted with Enforcing. It now works if I log in from a TTY; but if I log in from GDM it only works if I've already logged in at least once before (from either a TTY or GDM). I don't remember if I've done the TTY test before so I don't know if this is new or not.
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.