+++ This bug was initially created as a clone of Bug #757691 +++ libreport version: 2.0.7 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.2-1.fc16.x86_64 reason: SELinux is preventing /bin/login from 'getattr' accesses on the archivo /home/jairot/.ecryptfs/auto-mount. time: lun 28 nov 2011 13:08:05 CET description: Text file, 2506 bytes --- Additional comment from yajo.sk8 on 2011-11-28 07:10:23 EST --- Created attachment 537444 [details] File: description --- Additional comment from mgrepl on 2011-11-28 07:34:21 EST --- Could you try these steps https://bugzilla.redhat.com/show_bug.cgi?id=712048#c17 --- Additional comment from yajo.sk8 on 2011-12-02 16:24:21 EST --- I tried that. After rebooting and logging in, SELinux alert is not showing up, but I keep experiencing the problem described in bug 487088 comment 25, as before doing all this. sudo sh Descargas/ecrypt/ecrypt.sh jairot Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile make: No se hace nada para `all'. + /usr/sbin/semodule -i ecrypt.pp /usr/sbin/semodule: Failed on ecrypt.pp! + /sbin/restorecon -R -v /home/jairot /sbin/restorecon reset /home/jairot/.local/share/Trash/files/fl El esposo que se gana profundo respeto.wtfav context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:data_home_t:s0 + /usr/sbin/semanage fcontext -a -e /home /home/.ecryptfs + /sbin/restorecon -R -v /home/.ecrypfs/jairot $ sudo setsebool -P use_ecryptfs_home_dirs 1 libsemanage.dbase_llist_set: record not found in the database (No such file or directory). libsemanage.dbase_llist_set: could not set record value (No such file or directory). Could not change boolean use_ecryptfs_home_dirs Could not change policy booleans --- Additional comment from mgrepl on 2011-12-05 05:44:26 EST --- Are you building it on F16? --- Additional comment from yajo.sk8 on 2011-12-06 03:53:10 EST --- (In reply to comment #4) > Are you building it on F16? I'm using the pre-built package from the repository, and I'm on F16. --- Additional comment from mgrepl on 2011-12-06 06:27:40 EST --- Ok, strange, I am able to compile/install the policy which I attached. Could you try to do these steps # cd Descargas/ecrypt # make -f /usr/share/selinux/devel/Makefile clean # make -f /usr/share/selinux/devel/Makefile ecrypt.pp # semodule -i ecrypt.pp Thank you. --- Additional comment from yajo.sk8 on 2011-12-11 06:51:30 EST --- (In reply to comment #6) > Ok, strange, I am able to compile/install the policy which I attached. Could > you try to do these steps > > # cd Descargas/ecrypt > # make -f /usr/share/selinux/devel/Makefile clean > # make -f /usr/share/selinux/devel/Makefile ecrypt.pp > # semodule -i ecrypt.pp > > > Thank you. Done that, rebooted and logged in. Problem persists, wrong files are mounted: $ ls Private/ ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR--- ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2- After doing this, good files are mounted: $ ecryptfs-umount-private $ ecryptfs-mount-private --- Additional comment from mgrepl on 2011-12-12 06:27:36 EST --- So the "semodule -i ecrypt.pp" command worked without any error? If so, you just need to execute these commands # /sbin/restorecon -R -v /home/jairot # /usr/sbin/semanage fcontext -a -e /home /home/.ecryptfs # /sbin/restorecon -R -v /home/.ecrypfs/jairot # setsebool -P use_ecryptfs_home_dirs 1 and now it should work from the SELinux point of view. --- Additional comment from yajo.sk8 on 2011-12-20 14:16:15 EST --- (In reply to comment #8) > So the "semodule -i ecrypt.pp" command worked without any error? > > If so, you just need to execute these commands > > # /sbin/restorecon -R -v /home/jairot > # /usr/sbin/semanage fcontext -a -e /home /home/.ecryptfs > # /sbin/restorecon -R -v /home/.ecrypfs/jairot > # setsebool -P use_ecryptfs_home_dirs 1 > > and now it should work from the SELinux point of view. After doing that, I reboot and wrong files are still mounted, but now after unmounting and mounting again, wrong files keep there. No workaround now... --- Additional comment from mgrepl on 2011-12-21 05:40:00 EST --- And are you trying it in permissive mode? --- Additional comment from mhlavink on 2011-12-21 06:37:45 EST --- (Talking about comment #7) what you mean by wrong files mounted? are just file names not decrypted or even content is not decrypted? what is "mount" output when you see this problem and what is "mount" output after remount? --- Additional comment from yajo.sk8 on 2011-12-22 09:35:27 EST --- (In reply to comment #10) > And are you trying it in permissive mode? I tried, but the results are the same. (In reply to comment #11) > are just file names not decrypted or even content is not decrypted? Both. > what you mean by wrong files mounted? > [...] > what is "mount" output when you see this problem and what is "mount" output > after remount? See here: $ ls Private/ ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR--- ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2- $ mount fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) /dev/sda5 on /home type ext4 (rw) /dev/sda6 on /boot type ext4 (rw) /home/jairot/.Private on /home/jairot/Private type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e) fusectl on /sys/fs/fuse/connections type fusectl (rw) gvfs-fuse-daemon on /home/jairot/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=jairot) $ ecryptfs-umount-private $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [4f4809770febd99e] into the user session keyring $ ls Private/ ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR--- ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2- $ mount fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) /dev/sda5 on /home type ext4 (rw) /dev/sda6 on /boot type ext4 (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) gvfs-fuse-daemon on /home/jairot/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=jairot) /home/jairot/.Private on /home/jairot/Private type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e) --- Additional comment from yajo.sk8 on 2011-12-30 09:51:54 EST --- (In reply to comment #6) > Ok, strange, I am able to compile/install the policy which I attached. Could > you try to do these steps > > # cd Descargas/ecrypt > # make -f /usr/share/selinux/devel/Makefile clean > # make -f /usr/share/selinux/devel/Makefile ecrypt.pp > # semodule -i ecrypt.pp > > > Thank you. Is there any way to undo what I did in this step? I need access to my encrypted files... --- Additional comment from mgrepl on 2012-01-02 04:20:24 EST --- If you run it in permissive mode then SELinux is not your problem. --- Additional comment from yajo.sk8 on 2012-01-08 04:28:05 EST --- (In reply to comment #14) > If you run it in permissive mode then SELinux is not your problem. Then how can I have a clue of where is the problem so I can submit a bug to the right package?
what is your output of $ ls -l ~/.ecryptfs and output of $ keyctl show after mount? > /home/jairot/.Private on /home/jairot/Private type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e) I've chcecked old bugs and it's the same key signature, as the one you were using when it worked (fully or partially), so this is really it's odd. what kernel and ecryptfs-utils version do you use? uname -ra rpm -q ecryptfs-utils thanks
(In reply to comment #1) $ ls -l ~/.ecryptfs/ total 12 -rw-------. 1 jairot jairot 0 ago 2 19:10 auto-mount -rw-------. 1 jairot jairot 0 ago 2 19:10 auto-umount -rw-------. 1 jairot jairot 21 ago 2 19:10 Private.mnt -rw-------. 1 jairot jairot 34 ago 2 19:10 Private.sig -r--------. 1 jairot jairot 48 ago 2 19:10 wrapped-passphrase $ keyctl show Session Keyring -3 --alswrv 1000 1000 keyring: _ses 827442365 --alswrv 1000 -1 \_ keyring: _uid.1000 816821061 --alswrv 1000 1000 \_ user: 4f4809770febd99e $ ecryptfs-umount-private $ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [4f4809770febd99e] into the user session keyring $ keyctl show Session Keyring -3 --alswrv 1000 1000 keyring: _ses 827442365 --alswrv 1000 -1 \_ keyring: _uid.1000 759433863 --alswrv 1000 1000 \_ user: 4f4809770febd99e $ uname -ra Linux hpfedora.localdomain 3.1.2-1.fc16.x86_64 #1 SMP Tue Nov 22 09:00:57 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q ecryptfs-utils ecryptfs-utils-90-2.fc16.x86_64 > I've chcecked old bugs and it's the same key signature, as the one you were > using when it worked (fully or partially), so this is really it's odd. True. This bug reappeared after upgrading to F16. I managed to rescue all my private data from an Ubuntu LiveCD, so at least nothing has been lost, which is a relief... By the way, it's quite strange that I had the workaround of unmounting and re-mounting, but after doing the stuff in bug #757691 comment #8, the workaround doesn't work even in permissive mode! Weird...
(In reply to comment #2) > > I've chcecked old bugs and it's the same key signature, as the one you were > > using when it worked (fully or partially), so this is really it's odd. > > True. This bug reappeared after upgrading to F16. I managed to rescue all my > private data from an Ubuntu LiveCD, so at least nothing has been lost, which is > a relief... so you were able to use exactly this data (encrypted files and ~/.ecryptfs content) using livecd without problem? please try to reboot and in grub select the oldest kernel you have available and add 'enforcing=0' to kernel command line. if it does not help, try yum downgrade ecryptfs-utils
I moved ~/.ecryptfs and ~/.Private to other location and did: $ ecryptfs-setup-private Enter your login passphrase: Enter your mount passphrase [leave blank to generate one]: Enter your mount passphrase (again): ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Error: Your kernel does not support filename encryption ERROR: Could not add passphrase to the current keyring Maybe those error messages are helpful... (In reply to comment #3) > so you were able to use exactly this data (encrypted files and ~/.ecryptfs > content) using livecd without problem? I think I had to set up everything with ecryptfs-setup-private and the same passphrase, and then replace ~/.Private with my equivalent folder. > please try to reboot and in grub select the oldest kernel you have available I have only one kernel. > add 'enforcing=0' to kernel command line. I don't know how to do that. > if it does not help, try yum downgrade ecryptfs-utils $ sudo yum downgrade ecryptfs-utils [...] Solo existe la posibilidad de actualizar el paquete: ecryptfs-utils-90-2.fc16.x86_64 Nada para hacer
Any updates on this?
> Error: Your kernel does not support filename encryption > ERROR: Could not add passphrase to the current keyring this is odd what packages do you have installed? $ rpm -q kernel which one is running? $ uname -ra >> add 'enforcing=0' to kernel command line. > I don't know how to do that. If you have grub2 (background is black): - select what you want to boot by up/down keys - press 'e' to edit it - find line starting with "linux /boot/vmlinuz-3...." (you won't have "/boot" there if you have separate /boot partition) - add ' enforcing=0' at the end of that line - press F10 to boot if you have grub1 (background is blue): - select what you want to boot by up/down keys - press 'e' to edit it - find line starting with "kernel /boot/vmlinuz-3...." (you won't have "/boot" there if you have separate /boot partition) - press 'e' to edit that line - add ' enforcing=0' at the end of that line - confirm with Enter - press 'b' to boot
(In reply to comment #6) > what packages do you have installed? $ rpm -q kernel kernel-3.1.2-1.fc16.x86_64 kernel-3.1.8-2.fc16.x86_64 kernel-3.1.9-1.fc16.x86_64 > which one is running? $ uname -ra Linux hpfedora.localdomain 3.1.2-1.fc16.x86_64 #1 SMP Tue Nov 22 09:00:57 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux > >> add 'enforcing=0' to kernel command line. > > I don't know how to do that. > > > If you have grub2 (background is black): > - select what you want to boot by up/down keys > - press 'e' to edit it > - find line starting with "linux /boot/vmlinuz-3...." (you won't have "/boot" > there if you have separate /boot partition) > - add ' enforcing=0' at the end of that line > - press F10 to boot Done that, but nothing changes...
I guess you've tried different kernel versions too? If not, please try updating to 3.2.1-3 kernel and test if it changes anything. Try to use modprobe ecryptfs what output gives you: cat /sys/fs/ecryptfs/version > Enter your mount passphrase [leave blank to generate one]: > Enter your mount passphrase (again): > > ************************************************************************ > YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. > ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase > THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. > ************************************************************************ do you have your mount passphrase or not? Also please try to add new user, just for testing and see if ecryptfs works there (with new data, not with the old ones you already have), If it works, what is output of 'mount' once Private is mounted? thanks
(In reply to comment #8) > I guess you've tried different kernel versions too? If not, please try updating > to 3.2.1-3 kernel and test if it changes anything. > > Try to use > modprobe ecryptfs > > what output gives you: > cat /sys/fs/ecryptfs/version $ uname -a Linux hpfedora.localdomain 3.2.1-3.fc16.x86_64 #1 SMP Mon Jan 23 15:36:17 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux $ ls Private/ ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8--- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U-- ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR--- ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2- $ modprobe ecryptfs $ cat /sys/fs/ecryptfs/version 375 > do you have your mount passphrase or not? I have it. That's how I rescued the data from Ubuntu. > Also please try to add new user, just for testing and see if ecryptfs works > there (with new data, not with the old ones you already have), If it works, > what is output of 'mount' once Private is mounted? $ sudo useradd --create-home --groups ecryptfs testuser $ su testuser Contraseña: [testuser@hpfedora ~]$ ecryptfs-setup-private Enter your login passphrase [testuser]: Enter your mount passphrase [leave blank to generate one]: Enter your mount passphrase (again): ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Error: Your kernel does not support filename encryption ERROR: Could not add passphrase to the current keyring [testuser@hpfedora ~]$ ecryptfs-mount-private ERROR: Encrypted private directory is not setup properly [testuser@hpfedora ~]$ ls Private/ .Private/ .ecryptfs/ .ecryptfs/: auto-mount auto-umount wrapped-passphrase .Private/: Private/: Access-Your-Private-Data.desktop README.txt [testuser@hpfedora ~]$ mount fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) /dev/sda6 on /boot type ext4 (rw) /dev/sda5 on /home type ext4 (rw) /home/jairot/.Private on /home/jairot/Private type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e) fusectl on /sys/fs/fuse/connections type fusectl (rw) gvfs-fuse-daemon on /home/jairot/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=jairot)
try to run following command: ecryptfs-unwrap-passphrase /home/jairot/.ecryptfs/wrapped-passphrase does it show your mount passphrase or is your mount passphrase different? Also try following as root: modprobe ecryptfs mount -t ecryptfs /home/jairot/.Private /home/jairot/Private -o "key=passphrase:passphrase_passwd=YOUR_MOUNT_PASSPHRASE,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no" replace YOUR_MOUNT_PASSPHRASE with your actual mount passprhase. Test if it mounts your data correctly. It should just decrypt data, not the filenames, so check your data even if the file names are encrypted. If it does not work, is there any error message in /var/log/messages?
(In reply to comment #10) > try to run following command: > > ecryptfs-unwrap-passphrase /home/jairot/.ecryptfs/wrapped-passphrase > > does it show your mount passphrase or is your mount passphrase different? It shows the correct one. > Also try following as root: > > modprobe ecryptfs > > mount -t ecryptfs /home/jairot/.Private /home/jairot/Private -o "key=passphrase:passphrase_passwd=YOUR_MOUNT_PASSPHRASE,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no" > > replace YOUR_MOUNT_PASSPHRASE with your actual mount passprhase. > > Test if it mounts your data correctly. It should just decrypt data, not the > filenames, so check your data even if the file names are encrypted. Works. Filenames are encrypted but data is readable. > If it does not work, is there any error message in /var/log/messages? $ sudo cat /var/log/messages | grep ecryptfs Jan 29 11:02:33 hpfedora gdm-welcome][1127]: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present Jan 29 11:02:46 hpfedora gdm-password][1292]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: Can't check if kernel supports ecryptfs Jan 29 11:02:46 hpfedora gdm-password][1307]: ecryptfs: fill_keyring: Passphrase file wrapped Jan 29 11:29:11 hpfedora umount.ecryptfs_private: Failed to unlink key with sig [4f4809770febd99e]: Permission denied Jan 29 11:47:42 hpfedora gdm-welcome][1101]: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present Jan 29 11:48:34 hpfedora gdm-password][1262]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: Can't check if kernel supports ecryptfs Jan 29 11:48:35 hpfedora gdm-password][1302]: ecryptfs: fill_keyring: Passphrase file wrapped Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [openssl] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [openssl] has empty parameter list Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [pkcs11-helper] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [pkcs11-helper] has empty parameter list Jan 29 12:03:50 hpfedora mount.ecryptfs: Error attempting to find proc mount point in [/etc/mtab]. Defaulting to [/proc].
> Jan 29 12:03:50 hpfedora mount.ecryptfs: Error attempting to find proc mount point in [/etc/mtab]. Defaulting to [/proc]. do you have /etc/mtab -> /proc/mounts symlink? the errors you get are very strange. We'll try to focus on following case: > $ sudo useradd --create-home --groups ecryptfs testuser > > $ su testuser > Contraseña: > > [testuser@hpfedora ~]$ ecryptfs-setup-private > Enter your login passphrase [testuser]: > Enter your mount passphrase [leave blank to generate one]: > Enter your mount passphrase (again): > > ************************************************************************ > YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. > ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase > THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. > ************************************************************************ > > Error: Your kernel does not support filename encryption > ERROR: Could not add passphrase to the current keyring so we don't change anything in your current user. 1) remove test user with his home directory userdel --remove testuser 2) add user again useradd -G ecryptfs testuser passwd testuser 3) insert ecryptfs kernel module modprobe ecryptfs 4) check module is present: cat /sys/fs/ecryptfs/version gives you "375" 5) become testuser ssh testuser@localhost 6) setup ecryptfs Private ecryptfs-setup-private 7) check if it works if it does not work, add selinux=0 to kernel command line (see comment #6 ) check selinux is disabled (using 'sestatus') and repeat above procedure. On next reboot, selinux will get enabled again and it will relabel (check selinux context) all files on boot, so it (next boot) will take about 5-10 minutes longer than usual.
(In reply to comment #12) > > Jan 29 12:03:50 hpfedora mount.ecryptfs: Error attempting to find proc mount > point in [/etc/mtab]. Defaulting to [/proc]. > > do you have /etc/mtab -> /proc/mounts symlink? Seems like not: $ ls -l /etc/mtab /proc/mounts -rw-r--r--. 1 root root 4079 ene 31 14:38 /etc/mtab lrwxrwxrwx. 1 root root 11 ene 31 14:49 /proc/mounts -> self/mounts Here are their contents: $ cat /etc/mtab fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 /dev/sda6 /boot ext4 rw 0 0 /dev/sda5 /home ext4 rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 /dev/sda6 /boot ext4 rw 0 0 /dev/sda5 /home ext4 rw 0 0 /home/jairot/.Private /home/jairot/Private ecryptfs ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e 0 0 fusectl /sys/fs/fuse/connections fusectl rw 0 0 gvfs-fuse-daemon /home/jairot/.gvfs fuse.gvfs-fuse-daemon rw,nosuid,nodev,user=jairot 0 0 $ cat /proc/mounts rootfs / rootfs rw 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0 devtmpfs /dev devtmpfs rw,seclabel,nosuid,relatime,size=1015656k,nr_inodes=253914,mode=755 0 0 devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,relatime 0 0 tmpfs /run tmpfs rw,seclabel,nosuid,nodev,relatime,mode=755 0 0 /dev/sda8 / ext4 rw,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0 tmpfs /run tmpfs rw,seclabel,nosuid,nodev,relatime,mode=755 0 0 selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0 tmpfs /sys/fs/cgroup tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0 cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd 0 0 cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0 cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0 cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0 cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0 cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0 cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0 cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0 systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct 0 0 securityfs /sys/kernel/security securityfs rw,relatime 0 0 debugfs /sys/kernel/debug debugfs rw,relatime 0 0 hugetlbfs /dev/hugepages hugetlbfs rw,seclabel,relatime 0 0 mqueue /dev/mqueue mqueue rw,seclabel,relatime 0 0 configfs /sys/kernel/config configfs rw,relatime 0 0 tmpfs /media tmpfs rw,rootcontext=system_u:object_r:mnt_t:s0,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0 binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0 /dev/sda6 /boot ext4 rw,seclabel,relatime,user_xattr,acl,barrier=1,data=ordered 0 0 /dev/sda5 /home ext4 rw,seclabel,relatime,user_xattr,acl,barrier=1,data=ordered 0 0 /home/jairot/.Private /home/jairot/Private ecryptfs rw,relatime,ecryptfs_sig=4f4809770febd99e,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs 0 0 fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0 gvfs-fuse-daemon /home/jairot/.gvfs fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0 > 1) remove test user with his home directory > userdel --remove testuser > > 2) add user again > useradd -G ecryptfs testuser > passwd testuser > > 3) insert ecryptfs kernel module > modprobe ecryptfs > > 4) check module is present: > cat /sys/fs/ecryptfs/version > gives you "375" > > 5) become testuser > ssh testuser@localhost > > 6) setup ecryptfs Private > ecryptfs-setup-private $ sudo userdel --remove testuser [sudo] password for jairot: userdel: user 'testuser' does not exist $ sudo useradd -G ecryptfs testuser $ sudo passwd testuser Cambiando la contraseña del usuario testuser. Nueva contraseña: CONTRASEÑA INCORRECTA: Es demasiado corta. CONTRASEÑA INCORRECTA: es demasiado sencilla Vuelva a escribir la nueva contraseña: passwd: todos los tokens de autenticación se actualizaron exitosamente. $ sudo modprobe ecryptfs $ cat /sys/fs/ecryptfs/version 375 $ ssh testuser@localhost ssh: connect to host localhost port 22: Connection refused $ su testuser Contraseña: [testuser@hpfedora jairot]$ ecryptfs-setup-private Enter your login passphrase [testuser]: Enter your mount passphrase [leave blank to generate one]: ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Error: Your kernel does not support filename encryption ERROR: Could not add passphrase to the current keyring > 7) check if it works Obviously it doesn't. > if it does not work, add selinux=0 to kernel command line (see comment #6 ) > check selinux is disabled (using 'sestatus') and repeat above procedure. Same results: $ sestatus SELinux status: disabled $ sudo userdel --remove testuser $ sudo useradd -G ecryptfs testuser $ sudo passwd testuser Cambiando la contraseña del usuario testuser. Nueva contraseña: CONTRASEÑA INCORRECTA: Es demasiado corta. CONTRASEÑA INCORRECTA: es demasiado sencilla Vuelva a escribir la nueva contraseña: passwd: todos los tokens de autenticación se actualizaron exitosamente. $ sudo modprobe ecryptfs $ cat /sys/fs/ecryptfs/version 375 $ su testuser Contraseña: [testuser@hpfedora jairot]$ ecryptfs-setup-private Enter your login passphrase [testuser]: Enter your mount passphrase [leave blank to generate one]: ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Error: Your kernel does not support filename encryption ERROR: Could not add passphrase to the current keyring > On > next reboot, selinux will get enabled again and it will relabel (check selinux > context) all files on boot, so it (next boot) will take about 5-10 minutes > longer than usual. True. Booting, it echoed this message: *** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives Starting Recreate Volatile Files and Directories failed, see `systemctl status systemd-tmpfiles-setup.service` for details Then, after hundreds of asterisks, it rebooted again back to normal. > the errors you get are very strange True. I think something important happened when I did what I did in bug #757691 comment #8 (I hope it hepls).
> True. I think something important happened when I did what I did in > bug #757691 comment #8 (I hope it hepls). Unfortunately it does not help. I suspected selinux, but using selinux=0 we've disabled it completely. I'll prepare special package for you with more debug messages. Maybe we'll finally find out what's going on here.
Please test this package: http://kojipkgs.fedoraproject.org/scratch/mhlavink/task_3765889/ecryptfs-utils-93-1.fc16.bz773217.1.x86_64.rpm you can get the update using: rpm -Uvh http://kojipkgs.fedoraproject.org/scratch/mhlavink/task_3765889/ecryptfs-utils-93-1.fc16.bz773217.1.x86_64.rpm use selinux permissive mode a)using enforcing=0 in grub OR b)run "setenforce 0" as root before testing then proceed with test from comment #12, but do not repeat the test with selinux=0. It's not necessary. thanks
ignore previous comment, I wrote arguments in wrong order, the correct one is: also fix your /etc/mtab before testing, run following as root: ln -sf /proc/mounts /etc/mtab
(In reply to comment #17) > ignore previous comment, I wrote arguments in wrong order, the correct one is: Maybe it's my English but I don't understand this... which is the correct order?
Ahm OK sorry, I didn't notice you deleted a comment. Now I understand. I'll try this and tell you. Thanks.
Humm interesting... After fixing /etc/mtab and rebooting (both with and without setenforce 0) and rebooting, my ~/Private folder mounts! :D Using ecryptfs-(u)mount-private several times works as expected also. However, after creating testuser and trying to set it see what happens: [testuser@hpfedora ~]$ ecryptfs-setup-private Enter your login passphrase: Enter your mount passphrase [leave blank to generate one]: Enter your mount passphrase (again): ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ ecryptfs: version is 375 /sbin/restorecon /sbin/restorecon Done configuring. Testing mount/write/umount/read... ecryptfs: version is 375 Inserted auth tok with sig [e19db43ef9a80714] into the user session keyring Inserted auth tok with sig [ed3a8a1905764037] into the user session keyring mount: No such file or directory ERROR: Could not mount private ecryptfs directory
>mount: No such file or directory >ERROR: Could not mount private ecryptfs directory And does it happen also in permissive mode?
(In reply to comment #21) > And does it happen also in permissive mode? Yes.
Try the same reproducer again (test user, ecryptfs-setup-private) once it fails, what is output of keyctl show keyctl list @u then try to run: keyctl link @u @s and try tu mount ecryptfs: ecryptfs-mount-private does it work? If it does not work, what gives you 'keyctl show' and 'keyctl list @u' now?
[testuser@hpfedora jairot]$ ecryptfs-setup-private Enter your login passphrase [testuser]: Enter your mount passphrase [leave blank to generate one]: ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ /sbin/restorecon /sbin/restorecon Done configuring. Testing mount/write/umount/read... Inserted auth tok with sig [a11e544849aaf853] into the user session keyring Inserted auth tok with sig [3db9c09c1505a01c] into the user session keyring mount: No such file or directory ERROR: Could not mount private ecryptfs directory [testuser@hpfedora jairot]$ keyctl show Session Keyring -3 --alswrv 1000 1000 keyring: _ses 128488948 --alswrv 1000 -1 \_ keyring: _uid.1000 491932502 --als-rv 1000 1000 \_ user: b43e2e813afe7c23 862186942 --als-rv 1000 1000 \_ user: 4f4809770febd99e [testuser@hpfedora jairot]$ keyctl list @u 2 keys in keyring: 630233556: --alswrv 1001 1001 user: a11e544849aaf853 337013635: --alswrv 1001 1001 user: 3db9c09c1505a01c [testuser@hpfedora jairot]$ keyctl link @u @s [testuser@hpfedora jairot]$ ecryptfs-mount-private [testuser@hpfedora jairot]$ keyctl show Session Keyring -3 --alswrv 1000 1000 keyring: _ses 128488948 --alswrv 1000 -1 \_ keyring: _uid.1000 491932502 --als-rv 1000 1000 | \_ user: b43e2e813afe7c23 862186942 --als-rv 1000 1000 | \_ user: 4f4809770febd99e 387622041 --alswrv 1001 -1 \_ keyring: _uid.1001 630233556 --alswrv 1001 1001 \_ user: a11e544849aaf853 337013635 --alswrv 1001 1001 \_ user: 3db9c09c1505a01c [testuser@hpfedora jairot]$ keyctl list @u 2 keys in keyring: 630233556: --alswrv 1001 1001 user: a11e544849aaf853 337013635: --alswrv 1001 1001 user: 3db9c09c1505a01c (In reply to comment #23) > does it work? If it does not work, what gives you 'keyctl show' and 'keyctl > list @u' now? Seems like it does...
I can see you have both keyring _uid.1000 and keyring _uid.1001 visible. You probably used 'su testuser' instead of 'su - testuser'. Do not forget there is difference between "su - [username]" and "su [username]". Without '-' it just changes your effective uid/gid, but your environment is not initialized to the [username]'s one. This is not good when you just need permissions to run root-only program, but it's much worse if you try to use it for some security/encryption related stuff. Please retest and this time use 'su - testuser'.
(In reply to comment #25) > Please retest and this time use 'su - > testuser'. You were right. Seems like now it works: $ su - testuser Contraseña: [testuser@hpfedora ~]$ ecryptfs-mount-private ERROR: Encrypted private directory is not setup properly [testuser@hpfedora ~]$ ecryptfs-setup-private Enter your login passphrase [testuser]: Enter your mount passphrase [leave blank to generate one]: Enter your mount passphrase (again): ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ /sbin/restorecon /sbin/restorecon Done configuring. Testing mount/write/umount/read... Inserted auth tok with sig [6329bc7f084af053] into the user session keyring Inserted auth tok with sig [bd552f4acb4437b4] into the user session keyring Inserted auth tok with sig [6329bc7f084af053] into the user session keyring Inserted auth tok with sig [bd552f4acb4437b4] into the user session keyring Testing succeeded. Logout, and log back in to begin using your encrypted directory. [testuser@hpfedora ~]$ keyctl show Session Keyring -3 --alswrv 1001 1001 keyring: _ses 228230819 --alswrv 1001 -1 \_ keyring: _uid.1001 [testuser@hpfedora ~]$ keyctl list @u keyring is empty [testuser@hpfedora ~]$ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [6329bc7f084af053] into the user session keyring [testuser@hpfedora ~]$ keyctl show Session Keyring -3 --alswrv 1001 1001 keyring: _ses 228230819 --alswrv 1001 -1 \_ keyring: _uid.1001 2086666 --alswrv 1001 1001 \_ user: bd552f4acb4437b4 2683238 --alswrv 1001 1001 \_ user: 6329bc7f084af053 [testuser@hpfedora ~]$ keyctl list @u 2 keys in keyring: 2086666: --alswrv 1001 1001 user: bd552f4acb4437b4 2683238: --alswrv 1001 1001 user: 6329bc7f084af053 [testuser@hpfedora ~]$ echo "test content" > Private/testfile.txt [testuser@hpfedora ~]$ cat Private/testfile.txt test content [testuser@hpfedora ~]$ exit logout
I'm a bit lost with all I did, so to sum up: - When I run `setenforce 0`: - Things seem to work (I forgot to mention that before running the test in comment #26 I did a `setenforce 0`). - Also my user's ~/Private folder mounts perfectly. - When I don't: - My ~/Private file automounts. - File names are encrypted. - File contents are decrypted. What more can I do to help? Thanks.
OK, now it's a selinux issue. With 'setenforce 0' try what does not work (~/Private automount) and paste here output of ausearch -m avc -ts recent setenforce 0 switches selinux to permissive mode, so it will allow everything, but it'll log what would be denied.
Ok, so now is time to make SELinux working using instructions which I added previously.
(In reply to comment #28) > OK, now it's a selinux issue. With 'setenforce 0' try what does not work > (~/Private automount) and paste here output of > ausearch -m avc -ts recent ---- time->Tue Mar 20 22:08:34 2012 type=SYSCALL msg=audit(1332277714.067:68): arch=c000003e syscall=2 success=yes exit=3 a0=249d150 a1=0 a2=1b6 a3=238 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332277714.067:68): avc: denied { open } for pid=1347 comm="modprobe" name="modules.dep.bin" dev=sda8 ino=393246 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file type=AVC msg=audit(1332277714.067:68): avc: denied { read } for pid=1347 comm="modprobe" name="modules.dep.bin" dev=sda8 ino=393246 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file ---- time->Tue Mar 20 22:08:34 2012 type=SYSCALL msg=audit(1332277714.064:67): arch=c000003e syscall=59 success=yes exit=0 a0=1cd7de0 a1=1cd7ee0 a2=1cd6bd0 a3=18 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332277714.064:67): avc: denied { execute_no_trans } for pid=1347 comm="sh" path="/sbin/modprobe" dev=sda8 ino=5541 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=AVC msg=audit(1332277714.064:67): avc: denied { read open } for pid=1347 comm="sh" name="modprobe" dev=sda8 ino=5541 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=AVC msg=audit(1332277714.064:67): avc: denied { execute } for pid=1347 comm="sh" name="modprobe" dev=sda8 ino=5541 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file ---- time->Tue Mar 20 22:08:34 2012 type=SYSCALL msg=audit(1332277714.067:69): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fffbdc7ea80 a2=7fffbdc7ea80 a3=238 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332277714.067:69): avc: denied { getattr } for pid=1347 comm="modprobe" path="/lib/modules/3.2.10-3.fc16.x86_64/modules.dep.bin" dev=sda8 ino=393246 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file ---- time->Tue Mar 20 22:08:34 2012 type=SYSCALL msg=audit(1332277714.068:70): arch=c000003e syscall=2 success=yes exit=3 a0=24a1338 a1=0 a2=1b6 a3=41 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332277714.068:70): avc: denied { open } for pid=1347 comm="modprobe" name="tpm.ko" dev=sda8 ino=422706 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file type=AVC msg=audit(1332277714.068:70): avc: denied { read } for pid=1347 comm="modprobe" name="tpm.ko" dev=sda8 ino=422706 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file ---- time->Tue Mar 20 22:08:34 2012 type=SYSCALL msg=audit(1332277714.082:71): arch=c000003e syscall=2 success=yes exit=3 a0=24a1998 a1=0 a2=1b6 a3=42 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332277714.082:71): avc: denied { open } for pid=1347 comm="modprobe" name="trusted.ko" dev=sda8 ino=1193485 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file type=AVC msg=audit(1332277714.082:71): avc: denied { read } for pid=1347 comm="modprobe" name="trusted.ko" dev=sda8 ino=1193485 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
Miroslav, this is job for you, could you look at it?
*** Bug 808992 has been marked as a duplicate of this bug. ***
Created attachment 574483 [details] ecrypt test policy Ok, now we can test it. Note: You should be running in permissive mode because of the test policy. How to install the ecrypt policy: 1. Download the attachment and run 2 $ tar zxfv ecrypt.tgz 3. $ cd ecrypt/ 4. $ sh ecrypt.sh <username> 5. $ setsebool -P use_ecryptfs_home_dirs 1 and try to re-test it.
(In reply to comment #33) > 1. Download the attachment and run > 2 $ tar zxfv ecrypt.tgz > 3. $ cd ecrypt/ > 4. $ sh ecrypt.sh <username> > 5. $ setsebool -P use_ecryptfs_home_dirs 1 > > and try to re-test it. Done, but no changes. File names are still encrypted. I'm sorry. I did that in tty2 and forgot to capture the output, so I removed the module and redid it. $ sudo semodule -r ecrypt.pp Reboot. Then: [root@hpfedora ~]# cd /home/jairot/Descargas/ecrypt [root@hpfedora ecrypt]# setenforce 0 [root@hpfedora ecrypt]# sh ecrypt.sh jairot Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile Compiling targeted ecrypt module /usr/bin/checkmodule: loading policy configuration from tmp/ecrypt.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 14) to tmp/ecrypt.mod Creating targeted ecrypt.pp policy package rm tmp/ecrypt.mod.fc tmp/ecrypt.mod + /usr/sbin/semodule -i ecrypt.pp + /sbin/restorecon -R -v /home/jairot + /usr/sbin/semanage fcontext -a -e /home /home/.ecryptfs /usr/sbin/semanage: Equivalence class for /home/.ecryptfs already exists + /sbin/restorecon -R -v /home/.ecrypfs/jairot [root@hpfedora ecrypt]# setsebool -P use_ecryptfs_home_dirs 1 Note: The first time I ran the script, there was a lot of output from the restorecon or semanage part, but the 2nd time none of that was present. After reboot, bug persists.
You mean AVC msgs from the comment #30, right?
(In reply to comment #35) > You mean AVC msgs from the comment #30, right? Yes, I did not know they were the same. I hope this helps then: $ sudo ausearch --message avc --start 02/04/12 --end 03/04/12 | grep ecrypt type=SYSCALL msg=audit(1333386927.483:210): arch=c000003e syscall=250 success=yes exit=0 a0=9 a1=67dda03 a2=fffffffc a3=33b9eed599 items=0 ppid=1 pid=3227 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333386927.483:210): avc: denied { write } for pid=3227 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key type=AVC msg=audit(1333389482.234:161): avc: denied { search } for pid=1423 comm="gdm-session-wor" name=".ecryptfs" dev="sda5" ino=2670756 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir type=SYSCALL msg=audit(1333392551.883:133): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=2d5703f0 a2=fffffffc a3=33b9eed599 items=0 ppid=1535 pid=3436 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333392551.883:133): avc: denied { write } for pid=3436 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1333394191.662:179): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=194d4de4 a2=fffffffc a3=33b9eed599 items=0 ppid=1525 pid=2972 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333394191.662:179): avc: denied { write } for pid=2972 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1333402277.149:213): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=139157e2 a2=fffffffc a3=33b9eed599 items=0 ppid=1 pid=8292 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333402277.149:213): avc: denied { write } for pid=8292 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1333459901.778:104): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=3ccf7575 a2=fffffffc a3=33b9eed599 items=0 ppid=1456 pid=3189 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333459901.778:104): avc: denied { write } for pid=3189 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1333474058.747:98): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=1d5bd887 a2=fffffffc a3=33b9eed599 items=0 ppid=1408 pid=2639 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333474058.747:98): avc: denied { write } for pid=2639 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
After a fresh install of F17, it worked out of the box.
(In reply to comment #37) > After a fresh install of F17, it worked out of the box. Oops, ignore this. Works when mounting manually, but not on auto-mount.
Sorry to interfere. I just struggled with ecryptfs+SELinux on F16, too. Here is how I got it working: cat >pam_ecryptfs.te <<EOF module pam_ecryptfs 1.2; # allow login process access to ~/.ecryptfs require { type local_login_t; type sshd_t; type xdm_t; type user_home_t; type mount_t; type unconfined_t; class file { open getattr read }; class key { write }; } #============= local_login_t ============== allow local_login_t user_home_t:file { open read getattr }; allow sshd_t user_home_t:file { open read getattr }; allow xdm_t user_home_t:file { open read getattr }; #============= mount_t ============== allow mount_t unconfined_t:key write; EOF make -f /usr/share/selinux/devel/Makefile semodule -i pam_ecryptfs.pp
(In reply to comment #39) > Here is how I got it working: ... using ,,, ecryptfs-utils-100-1.fc16.x86_64 selinux-policy-targeted-3.10.0-91.fc16.noarch kernel-3.4.11-1.fc16.x86_64
It doesn't work out-of-the-box in F17. Actually I see no difference wrt F16. use_ecryptfs_home_dirs --> on ecryptfs-utils-100-1.fc17.x86_64 selinux-policy-targeted-3.10.0-153.fc17.noarch kernel-3.6.1-1.fc17.x86_64 audit2allow suggests: module ecryptfs_user 1.0; require { type unconfined_t; type home_root_t; type tmpfs_t; type mount_t; type sshd_t; type local_login_t; type xdm_t; class file { read getattr open }; class dir add_name; class key write; } #============= mount_t ============== allow mount_t tmpfs_t:dir add_name; allow mount_t unconfined_t:key write; #============= sshd_t ============== allow sshd_t home_root_t:file { read getattr open }; allow local_login_t home_root_t:file { read getattr open }; allow xdm_t home_root_t:file { read getattr open };
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
As of comment #41, this affects also F17.
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.