what is your output of
$ ls -l ~/.ecryptfs

and output of
$ keyctl show
after mount?

> /home/jairot/.Private on /home/jairot/Private type ecryptfs
(ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e)

I've chcecked old bugs and it's the same key signature, as the one you were using when it worked (fully or partially), so this is really it's odd.

what kernel and ecryptfs-utils version do you use?
uname -ra
rpm -q ecryptfs-utils

thanks

(In reply to comment #1)

$ ls -l ~/.ecryptfs/
total 12
-rw-------. 1 jairot jairot  0 ago  2 19:10 auto-mount
-rw-------. 1 jairot jairot  0 ago  2 19:10 auto-umount
-rw-------. 1 jairot jairot 21 ago  2 19:10 Private.mnt
-rw-------. 1 jairot jairot 34 ago  2 19:10 Private.sig
-r--------. 1 jairot jairot 48 ago  2 19:10 wrapped-passphrase

$ keyctl show
Session Keyring
       -3 --alswrv   1000  1000  keyring: _ses
827442365 --alswrv   1000    -1   \_ keyring: _uid.1000
816821061 --alswrv   1000  1000       \_ user: 4f4809770febd99e

$ ecryptfs-umount-private 

$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [4f4809770febd99e] into the user session keyring

$ keyctl show
Session Keyring
       -3 --alswrv   1000  1000  keyring: _ses
827442365 --alswrv   1000    -1   \_ keyring: _uid.1000
759433863 --alswrv   1000  1000       \_ user: 4f4809770febd99e

$ uname -ra
Linux hpfedora.localdomain 3.1.2-1.fc16.x86_64 #1 SMP Tue Nov 22 09:00:57 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

$ rpm -q ecryptfs-utils
ecryptfs-utils-90-2.fc16.x86_64

> I've chcecked old bugs and it's the same key signature, as the one you were
> using when it worked (fully or partially), so this is really it's odd.

True. This bug reappeared after upgrading to F16. I managed to rescue all my private data from an Ubuntu LiveCD, so at least nothing has been lost, which is a relief...

By the way, it's quite strange that I had the workaround of unmounting and re-mounting, but after doing the stuff in bug #757691 comment #8, the workaround doesn't work even in permissive mode! Weird...

(In reply to comment #2)
> > I've chcecked old bugs and it's the same key signature, as the one you were
> > using when it worked (fully or partially), so this is really it's odd.
> 
> True. This bug reappeared after upgrading to F16. I managed to rescue all my
> private data from an Ubuntu LiveCD, so at least nothing has been lost, which is
> a relief...

so you were able to use exactly this data (encrypted files and ~/.ecryptfs content) using livecd without problem?

please try to reboot and in grub select the oldest kernel you have available and add 'enforcing=0' to kernel command line.

if it does not help, try yum downgrade ecryptfs-utils

I moved ~/.ecryptfs and ~/.Private to other location and did:

$ ecryptfs-setup-private 
Enter your login passphrase: 
Enter your mount passphrase [leave blank to generate one]: 
Enter your mount passphrase (again): 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Error: Your kernel does not support filename encryption
ERROR:  Could not add passphrase to the current keyring


Maybe those error messages are helpful...

(In reply to comment #3)
> so you were able to use exactly this data (encrypted files and ~/.ecryptfs
> content) using livecd without problem?

I think I had to set up everything with ecryptfs-setup-private and the same passphrase, and then replace ~/.Private with my equivalent folder.

> please try to reboot and in grub select the oldest kernel you have available

I have only one kernel.

> add 'enforcing=0' to kernel command line.

I don't know how to do that.

> if it does not help, try yum downgrade ecryptfs-utils

$ sudo yum downgrade ecryptfs-utils
[...]    
Solo existe la posibilidad de actualizar el paquete: ecryptfs-utils-90-2.fc16.x86_64
Nada para hacer

Any updates on this?

> Error: Your kernel does not support filename encryption
> ERROR:  Could not add passphrase to the current keyring

this is odd

what packages do you have installed?

$ rpm -q kernel

which one is running?

$ uname -ra

>> add 'enforcing=0' to kernel command line.
> I don't know how to do that.


If you have grub2 (background is black):
- select what you want to boot by up/down keys
- press 'e' to edit it
- find line starting with "linux /boot/vmlinuz-3...." (you won't have "/boot" there if you have separate /boot partition)
- add ' enforcing=0' at the end of that line
- press F10 to boot

if you have grub1 (background is blue):
- select what you want to boot by up/down keys
- press 'e' to edit it
- find line starting with "kernel /boot/vmlinuz-3...." (you won't have "/boot" there if you have separate /boot partition)
- press 'e' to edit that line
- add ' enforcing=0' at the end of that line
- confirm with Enter
- press 'b' to boot

(In reply to comment #6)
> what packages do you have installed?

$ rpm -q kernel
kernel-3.1.2-1.fc16.x86_64
kernel-3.1.8-2.fc16.x86_64
kernel-3.1.9-1.fc16.x86_64


> which one is running?

$ uname -ra
Linux hpfedora.localdomain 3.1.2-1.fc16.x86_64 #1 SMP Tue Nov 22 09:00:57 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux


> >> add 'enforcing=0' to kernel command line.
> > I don't know how to do that.
> 
> 
> If you have grub2 (background is black):
> - select what you want to boot by up/down keys
> - press 'e' to edit it
> - find line starting with "linux /boot/vmlinuz-3...." (you won't have "/boot"
> there if you have separate /boot partition)
> - add ' enforcing=0' at the end of that line
> - press F10 to boot

Done that, but nothing changes...

I guess you've tried different kernel versions too? If not, please try updating to 3.2.1-3 kernel and test if it changes anything. 

Try to use
modprobe ecryptfs

what output gives you:
cat /sys/fs/ecryptfs/version

> Enter your mount passphrase [leave blank to generate one]: 
> Enter your mount passphrase (again): 
> 
> ************************************************************************
> YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
>  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
> THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
> ************************************************************************

do you have your mount passphrase or not?

Also please try to add new user, just for testing and see if ecryptfs works there (with new data, not with the old ones you already have), If it works, what is output of 'mount' once Private is mounted?

thanks

(In reply to comment #8)
> I guess you've tried different kernel versions too? If not, please try updating
> to 3.2.1-3 kernel and test if it changes anything. 
> 
> Try to use
> modprobe ecryptfs
> 
> what output gives you:
> cat /sys/fs/ecryptfs/version

$ uname -a
Linux hpfedora.localdomain 3.2.1-3.fc16.x86_64 #1 SMP Mon Jan 23 15:36:17 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

$ ls Private/
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.2yCPt2KW5lQvM8YkET2xa---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.F7peVpxgBbAKT3a0xheu8---
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.LDT-hNeBlGcNTTFIzS.3nk--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.P8EWIQ-mL6JpIApgeoSZ6U--
ECRYPTFS_FNEK_ENCRYPTED.FWaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.u0YpfWmuur5DXoAXevUgR---
ECRYPTFS_FNEK_ENCRYPTED.FXaoDWu.Cjtw6kQaZaymE2xzgJFixN3DB7g.WHMioUXTw.G9KPVhIFNHzPqKdWovOa8ECkn.yddOPz2-

$ modprobe ecryptfs

$ cat /sys/fs/ecryptfs/version 
375


> do you have your mount passphrase or not?

I have it. That's how I rescued the data from Ubuntu.


> Also please try to add new user, just for testing and see if ecryptfs works
> there (with new data, not with the old ones you already have), If it works,
> what is output of 'mount' once Private is mounted?

$ sudo useradd --create-home --groups ecryptfs testuser

$ su testuser
Contraseña: 

[testuser@hpfedora ~]$ ecryptfs-setup-private 
Enter your login passphrase [testuser]: 
Enter your mount passphrase [leave blank to generate one]: 
Enter your mount passphrase (again): 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Error: Your kernel does not support filename encryption
ERROR:  Could not add passphrase to the current keyring
[testuser@hpfedora ~]$ ecryptfs-mount-private 
ERROR: Encrypted private directory is not setup properly

[testuser@hpfedora ~]$ ls Private/ .Private/ .ecryptfs/
.ecryptfs/:
auto-mount  auto-umount  wrapped-passphrase

.Private/:

Private/:
Access-Your-Private-Data.desktop  README.txt

[testuser@hpfedora ~]$ mount
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
/dev/sda6 on /boot type ext4 (rw)
/dev/sda5 on /home type ext4 (rw)
/home/jairot/.Private on /home/jairot/Private type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
gvfs-fuse-daemon on /home/jairot/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=jairot)

try to run following command:

ecryptfs-unwrap-passphrase /home/jairot/.ecryptfs/wrapped-passphrase

does it show your mount passphrase or is your mount passphrase different?

Also try following as root:

modprobe ecryptfs

mount -t ecryptfs /home/jairot/.Private /home/jairot/Private -o  "key=passphrase:passphrase_passwd=YOUR_MOUNT_PASSPHRASE,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no"

replace YOUR_MOUNT_PASSPHRASE with your actual mount passprhase.

Test if it mounts your data correctly. It should just decrypt data, not the filenames, so check your data even if the file names are encrypted.

If it does not work, is there any error message in /var/log/messages?

(In reply to comment #10)
> try to run following command:
> 
> ecryptfs-unwrap-passphrase /home/jairot/.ecryptfs/wrapped-passphrase
> 
> does it show your mount passphrase or is your mount passphrase different?

It shows the correct one.


> Also try following as root:
> 
> modprobe ecryptfs
> 
> mount -t ecryptfs /home/jairot/.Private /home/jairot/Private -o "key=passphrase:passphrase_passwd=YOUR_MOUNT_PASSPHRASE,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no"
> 
> replace YOUR_MOUNT_PASSPHRASE with your actual mount passprhase.
> 
> Test if it mounts your data correctly. It should just decrypt data, not the
> filenames, so check your data even if the file names are encrypted.

Works. Filenames are encrypted but data is readable.

> If it does not work, is there any error message in /var/log/messages?

$ sudo cat /var/log/messages | grep ecryptfs
Jan 29 11:02:33 hpfedora gdm-welcome][1127]: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present
Jan 29 11:02:46 hpfedora gdm-password][1292]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: Can't check if kernel supports ecryptfs
Jan 29 11:02:46 hpfedora gdm-password][1307]: ecryptfs: fill_keyring: Passphrase file wrapped
Jan 29 11:29:11 hpfedora umount.ecryptfs_private: Failed to unlink key with sig [4f4809770febd99e]: Permission denied
Jan 29 11:47:42 hpfedora gdm-welcome][1101]: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present
Jan 29 11:48:34 hpfedora gdm-password][1262]: ecryptfs: pam_sm_authenticate: pam_ecryptfs: Can't check if kernel supports ecryptfs
Jan 29 11:48:35 hpfedora gdm-password][1302]: ecryptfs: fill_keyring: Passphrase file wrapped
Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [openssl] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list
Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [openssl] has empty parameter list
Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [pkcs11-helper] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list
Jan 29 12:03:50 hpfedora mount.ecryptfs: Key module [pkcs11-helper] has empty parameter list
Jan 29 12:03:50 hpfedora mount.ecryptfs: Error attempting to find proc mount point in [/etc/mtab]. Defaulting to [/proc].

> Jan 29 12:03:50 hpfedora mount.ecryptfs: Error attempting to find proc mount
point in [/etc/mtab]. Defaulting to [/proc].

do you have /etc/mtab -> /proc/mounts symlink?

the errors you get are very strange. We'll try to focus on following case:
> $ sudo useradd --create-home --groups ecryptfs testuser
> 
> $ su testuser
> Contraseña: 
> 
> [testuser@hpfedora ~]$ ecryptfs-setup-private 
> Enter your login passphrase [testuser]: 
> Enter your mount passphrase [leave blank to generate one]: 
> Enter your mount passphrase (again): 
> 
> ************************************************************************
> YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
>   ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
> THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
> ************************************************************************
> 
> Error: Your kernel does not support filename encryption
> ERROR:  Could not add passphrase to the current keyring

so we don't change anything in your current user.

1) remove test user with his home directory
userdel --remove testuser

2) add user again
useradd -G ecryptfs testuser
passwd testuser

3) insert ecryptfs kernel module
modprobe ecryptfs

4) check module is present:
cat /sys/fs/ecryptfs/version
gives you "375"

5) become testuser
ssh testuser@localhost

6) setup ecryptfs Private
ecryptfs-setup-private

7) check if it works

if it does not work, add selinux=0 to kernel command line (see comment #6 )
check selinux is disabled (using 'sestatus') and repeat above procedure. On next reboot, selinux will get enabled again and it will relabel (check selinux context) all files on boot, so it (next boot) will take about 5-10 minutes longer than usual.

(In reply to comment #12)
> > Jan 29 12:03:50 hpfedora mount.ecryptfs: Error attempting to find proc mount
> point in [/etc/mtab]. Defaulting to [/proc].
>
> do you have /etc/mtab -> /proc/mounts symlink?

Seems like not:

$ ls -l /etc/mtab /proc/mounts
-rw-r--r--. 1 root root 4079 ene 31 14:38 /etc/mtab
lrwxrwxrwx. 1 root root   11 ene 31 14:49 /proc/mounts -> self/mounts

Here are their contents:

$ cat /etc/mtab
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
/dev/sda6 /boot ext4 rw 0 0
/dev/sda5 /home ext4 rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
/dev/sda6 /boot ext4 rw 0 0
/dev/sda5 /home ext4 rw 0 0
/home/jairot/.Private /home/jairot/Private ecryptfs ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=4f4809770febd99e 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
gvfs-fuse-daemon /home/jairot/.gvfs fuse.gvfs-fuse-daemon rw,nosuid,nodev,user=jairot 0 0

$ cat /proc/mounts
rootfs / rootfs rw 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,seclabel,nosuid,relatime,size=1015656k,nr_inodes=253914,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,relatime 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,relatime,mode=755 0 0
/dev/sda8 / ext4 rw,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,relatime,mode=755 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
tmpfs /sys/fs/cgroup tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct 0 0
securityfs /sys/kernel/security securityfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,seclabel,relatime 0 0
mqueue /dev/mqueue mqueue rw,seclabel,relatime 0 0
configfs /sys/kernel/config configfs rw,relatime 0 0
tmpfs /media tmpfs rw,rootcontext=system_u:object_r:mnt_t:s0,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
/dev/sda6 /boot ext4 rw,seclabel,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/sda5 /home ext4 rw,seclabel,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/home/jairot/.Private /home/jairot/Private ecryptfs rw,relatime,ecryptfs_sig=4f4809770febd99e,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
gvfs-fuse-daemon /home/jairot/.gvfs fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0


> 1) remove test user with his home directory
> userdel --remove testuser
>
> 2) add user again
> useradd -G ecryptfs testuser
> passwd testuser
>
> 3) insert ecryptfs kernel module
> modprobe ecryptfs
>
> 4) check module is present:
> cat /sys/fs/ecryptfs/version
> gives you "375"
>
> 5) become testuser
> ssh testuser@localhost
>
> 6) setup ecryptfs Private
> ecryptfs-setup-private

$ sudo userdel --remove testuser
[sudo] password for jairot:
userdel: user 'testuser' does not exist

$ sudo useradd -G ecryptfs testuser

$ sudo passwd testuser
Cambiando la contraseña del usuario testuser.
Nueva contraseña:
CONTRASEÑA INCORRECTA: Es demasiado corta.
CONTRASEÑA INCORRECTA: es demasiado sencilla
Vuelva a escribir la nueva contraseña:
passwd: todos los tokens de autenticación se actualizaron exitosamente.

$ sudo modprobe ecryptfs

$ cat /sys/fs/ecryptfs/version
375

$ ssh testuser@localhost
ssh: connect to host localhost port 22: Connection refused

$ su testuser
Contraseña:

[testuser@hpfedora jairot]$ ecryptfs-setup-private
Enter your login passphrase [testuser]:
Enter your mount passphrase [leave blank to generate one]:

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Error: Your kernel does not support filename encryption
ERROR:  Could not add passphrase to the current keyring


> 7) check if it works

Obviously it doesn't.


> if it does not work, add selinux=0 to kernel command line (see comment #6 )
> check selinux is disabled (using 'sestatus') and repeat above procedure.

Same results:

$ sestatus
SELinux status:                 disabled

$ sudo userdel --remove testuser

$ sudo useradd -G ecryptfs testuser

$ sudo passwd testuser
Cambiando la contraseña del usuario testuser.
Nueva contraseña:
CONTRASEÑA INCORRECTA: Es demasiado corta.
CONTRASEÑA INCORRECTA: es demasiado sencilla
Vuelva a escribir la nueva contraseña:
passwd: todos los tokens de autenticación se actualizaron exitosamente.

$ sudo modprobe ecryptfs

$ cat /sys/fs/ecryptfs/version
375

$ su testuser
Contraseña:

[testuser@hpfedora jairot]$ ecryptfs-setup-private
Enter your login passphrase [testuser]:
Enter your mount passphrase [leave blank to generate one]:

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Error: Your kernel does not support filename encryption
ERROR:  Could not add passphrase to the current keyring


> On
> next reboot, selinux will get enabled again and it will relabel (check selinux
> context) all files on boot, so it (next boot) will take about 5-10 minutes
> longer than usual.

True. Booting, it echoed this message:

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives
Starting Recreate Volatile Files and Directories failed, see `systemctl status systemd-tmpfiles-setup.service` for details

Then, after hundreds of asterisks, it rebooted again back to normal.


> the errors you get are very strange

True. I think something important happened when I did what I did in bug #757691 comment #8 (I hope it hepls).

> True. I think something important happened when I did what I did in 
> bug #757691 comment #8 (I hope it hepls).

Unfortunately it does not help. I suspected selinux, but using selinux=0 we've disabled it completely. I'll prepare special package for you with more debug messages. Maybe we'll finally find out what's going on here.

Please test this package:
http://kojipkgs.fedoraproject.org/scratch/mhlavink/task_3765889/ecryptfs-utils-93-1.fc16.bz773217.1.x86_64.rpm

you can get the update using:
rpm -Uvh http://kojipkgs.fedoraproject.org/scratch/mhlavink/task_3765889/ecryptfs-utils-93-1.fc16.bz773217.1.x86_64.rpm

use selinux permissive mode a)using enforcing=0 in grub OR b)run "setenforce 0" as root before testing

then proceed with test from comment #12, but do not repeat the test with selinux=0. It's not necessary.

thanks

ignore previous comment, I wrote arguments in wrong order, the correct one is:

also fix your /etc/mtab before testing, run following as root:
ln -sf /proc/mounts /etc/mtab

(In reply to comment #17)
> ignore previous comment, I wrote arguments in wrong order, the correct one is:

Maybe it's my English but I don't understand this... which is the correct order?

Ahm OK sorry, I didn't notice you deleted a comment. Now I understand. I'll try this and tell you. Thanks.

Humm interesting...

After fixing /etc/mtab and rebooting (both with and without setenforce 0) and rebooting, my ~/Private folder mounts! :D

Using ecryptfs-(u)mount-private several times works as expected also.

However, after creating testuser and trying to set it see what happens:

[testuser@hpfedora ~]$ ecryptfs-setup-private 
Enter your login passphrase: 
Enter your mount passphrase [leave blank to generate one]: 
Enter your mount passphrase (again): 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

ecryptfs: version is 375
/sbin/restorecon
/sbin/restorecon

Done configuring.

Testing mount/write/umount/read...
ecryptfs: version is 375
Inserted auth tok with sig [e19db43ef9a80714] into the user session keyring
Inserted auth tok with sig [ed3a8a1905764037] into the user session keyring
mount: No such file or directory
ERROR:  Could not mount private ecryptfs directory

>mount: No such file or directory
>ERROR:  Could not mount private ecryptfs directory

And does it happen also in permissive mode?

(In reply to comment #21)
> And does it happen also in permissive mode?

Yes.

Try the same reproducer again (test user, ecryptfs-setup-private)

once it fails, what is output of 
keyctl show
keyctl list @u

then try to run:
keyctl link @u @s
and try tu mount ecryptfs:
ecryptfs-mount-private

does it work? If it does not work, what gives you 'keyctl show' and 'keyctl list @u' now?

[testuser@hpfedora jairot]$ ecryptfs-setup-private 
Enter your login passphrase [testuser]: 
Enter your mount passphrase [leave blank to generate one]: 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

/sbin/restorecon
/sbin/restorecon

Done configuring.

Testing mount/write/umount/read...
Inserted auth tok with sig [a11e544849aaf853] into the user session keyring
Inserted auth tok with sig [3db9c09c1505a01c] into the user session keyring
mount: No such file or directory
ERROR:  Could not mount private ecryptfs directory
[testuser@hpfedora jairot]$ keyctl show
Session Keyring
       -3 --alswrv   1000  1000  keyring: _ses
128488948 --alswrv   1000    -1   \_ keyring: _uid.1000
491932502 --als-rv   1000  1000       \_ user: b43e2e813afe7c23
862186942 --als-rv   1000  1000       \_ user: 4f4809770febd99e
[testuser@hpfedora jairot]$ keyctl list @u
2 keys in keyring:
630233556: --alswrv  1001  1001 user: a11e544849aaf853
337013635: --alswrv  1001  1001 user: 3db9c09c1505a01c
[testuser@hpfedora jairot]$ keyctl link @u @s
[testuser@hpfedora jairot]$ ecryptfs-mount-private 
[testuser@hpfedora jairot]$ keyctl show
Session Keyring
       -3 --alswrv   1000  1000  keyring: _ses
128488948 --alswrv   1000    -1   \_ keyring: _uid.1000
491932502 --als-rv   1000  1000   |   \_ user: b43e2e813afe7c23
862186942 --als-rv   1000  1000   |   \_ user: 4f4809770febd99e
387622041 --alswrv   1001    -1   \_ keyring: _uid.1001
630233556 --alswrv   1001  1001       \_ user: a11e544849aaf853
337013635 --alswrv   1001  1001       \_ user: 3db9c09c1505a01c
[testuser@hpfedora jairot]$ keyctl list @u
2 keys in keyring:
630233556: --alswrv  1001  1001 user: a11e544849aaf853
337013635: --alswrv  1001  1001 user: 3db9c09c1505a01c


(In reply to comment #23)
> does it work? If it does not work, what gives you 'keyctl show' and 'keyctl
> list @u' now?

Seems like it does...

I can see you have both keyring _uid.1000 and keyring _uid.1001 visible. You probably used 'su testuser' instead of 'su - testuser'. Do not forget there is difference between "su - [username]" and "su [username]". Without '-' it just changes your effective uid/gid, but your environment is not initialized to the [username]'s one. This is not good when you just need permissions to run root-only program, but it's much worse if you try to use it for some security/encryption related stuff. Please retest and this time use 'su - testuser'.

(In reply to comment #25)
> Please retest and this time use 'su -
> testuser'.

You were right. Seems like now it works:

$ su - testuser 
Contraseña: 
[testuser@hpfedora ~]$ ecryptfs-mount-private 
ERROR: Encrypted private directory is not setup properly
[testuser@hpfedora ~]$ ecryptfs-setup-private 
Enter your login passphrase [testuser]: 
Enter your mount passphrase [leave blank to generate one]: 
Enter your mount passphrase (again): 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

/sbin/restorecon
/sbin/restorecon

Done configuring.

Testing mount/write/umount/read...
Inserted auth tok with sig [6329bc7f084af053] into the user session keyring
Inserted auth tok with sig [bd552f4acb4437b4] into the user session keyring
Inserted auth tok with sig [6329bc7f084af053] into the user session keyring
Inserted auth tok with sig [bd552f4acb4437b4] into the user session keyring
Testing succeeded.

Logout, and log back in to begin using your encrypted directory.

[testuser@hpfedora ~]$ keyctl show
Session Keyring
       -3 --alswrv   1001  1001  keyring: _ses
228230819 --alswrv   1001    -1   \_ keyring: _uid.1001
[testuser@hpfedora ~]$ keyctl list @u
keyring is empty
[testuser@hpfedora ~]$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [6329bc7f084af053] into the user session keyring
[testuser@hpfedora ~]$ keyctl show
Session Keyring
       -3 --alswrv   1001  1001  keyring: _ses
228230819 --alswrv   1001    -1   \_ keyring: _uid.1001
  2086666 --alswrv   1001  1001       \_ user: bd552f4acb4437b4
  2683238 --alswrv   1001  1001       \_ user: 6329bc7f084af053
[testuser@hpfedora ~]$ keyctl list @u
2 keys in keyring:
  2086666: --alswrv  1001  1001 user: bd552f4acb4437b4
  2683238: --alswrv  1001  1001 user: 6329bc7f084af053
[testuser@hpfedora ~]$ echo "test content" > Private/testfile.txt
[testuser@hpfedora ~]$ cat Private/testfile.txt 
test content
[testuser@hpfedora ~]$ exit
logout

I'm a bit lost with all I did, so to sum up:

- When I run `setenforce 0`:
    - Things seem to work (I forgot to mention that before running the
      test in comment #26 I did a `setenforce 0`).
    - Also my user's ~/Private folder mounts perfectly.
- When I don't:
    - My ~/Private file automounts.
        - File names are encrypted.
        - File contents are decrypted.

What more can I do to help?

Thanks.

OK, now it's a selinux issue. With 'setenforce 0' try what does not work (~/Private automount) and paste here output of 
ausearch -m avc -ts recent

setenforce 0 switches selinux to permissive mode, so it will allow everything, but it'll log what would be denied.

Ok, so now is time to make SELinux working using instructions which I added previously.

(In reply to comment #28)
> OK, now it's a selinux issue. With 'setenforce 0' try what does not work
> (~/Private automount) and paste here output of 
> ausearch -m avc -ts recent

----
time->Tue Mar 20 22:08:34 2012
type=SYSCALL msg=audit(1332277714.067:68): arch=c000003e syscall=2 success=yes exit=3 a0=249d150 a1=0 a2=1b6 a3=238 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332277714.067:68): avc:  denied  { open } for  pid=1347 comm="modprobe" name="modules.dep.bin" dev=sda8 ino=393246 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
type=AVC msg=audit(1332277714.067:68): avc:  denied  { read } for  pid=1347 comm="modprobe" name="modules.dep.bin" dev=sda8 ino=393246 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
----
time->Tue Mar 20 22:08:34 2012
type=SYSCALL msg=audit(1332277714.064:67): arch=c000003e syscall=59 success=yes exit=0 a0=1cd7de0 a1=1cd7ee0 a2=1cd6bd0 a3=18 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332277714.064:67): avc:  denied  { execute_no_trans } for  pid=1347 comm="sh" path="/sbin/modprobe" dev=sda8 ino=5541 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1332277714.064:67): avc:  denied  { read open } for  pid=1347 comm="sh" name="modprobe" dev=sda8 ino=5541 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1332277714.064:67): avc:  denied  { execute } for  pid=1347 comm="sh" name="modprobe" dev=sda8 ino=5541 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
----
time->Tue Mar 20 22:08:34 2012
type=SYSCALL msg=audit(1332277714.067:69): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fffbdc7ea80 a2=7fffbdc7ea80 a3=238 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332277714.067:69): avc:  denied  { getattr } for  pid=1347 comm="modprobe" path="/lib/modules/3.2.10-3.fc16.x86_64/modules.dep.bin" dev=sda8 ino=393246 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
----
time->Tue Mar 20 22:08:34 2012
type=SYSCALL msg=audit(1332277714.068:70): arch=c000003e syscall=2 success=yes exit=3 a0=24a1338 a1=0 a2=1b6 a3=41 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332277714.068:70): avc:  denied  { open } for  pid=1347 comm="modprobe" name="tpm.ko" dev=sda8 ino=422706 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1332277714.068:70): avc:  denied  { read } for  pid=1347 comm="modprobe" name="tpm.ko" dev=sda8 ino=422706 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
----
time->Tue Mar 20 22:08:34 2012
type=SYSCALL msg=audit(1332277714.082:71): arch=c000003e syscall=2 success=yes exit=3 a0=24a1998 a1=0 a2=1b6 a3=42 items=0 ppid=1346 pid=1347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332277714.082:71): avc:  denied  { open } for  pid=1347 comm="modprobe" name="trusted.ko" dev=sda8 ino=1193485 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1332277714.082:71): avc:  denied  { read } for  pid=1347 comm="modprobe" name="trusted.ko" dev=sda8 ino=1193485 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file

Miroslav, this is job for you, could you look at it?

*** Bug 808992 has been marked as a duplicate of this bug. ***

Created attachment 574483 [details]
ecrypt test policy

Ok, now we can test it.

Note: You should be running in permissive mode because of the test
policy.

How to install the ecrypt policy:

1. Download the attachment and run
2  $ tar zxfv ecrypt.tgz
3. $ cd ecrypt/
4. $ sh ecrypt.sh <username>
5. $ setsebool -P use_ecryptfs_home_dirs 1

and try to re-test it.

(In reply to comment #33)
> 1. Download the attachment and run
> 2  $ tar zxfv ecrypt.tgz
> 3. $ cd ecrypt/
> 4. $ sh ecrypt.sh <username>
> 5. $ setsebool -P use_ecryptfs_home_dirs 1
> 
> and try to re-test it.

Done, but no changes. File names are still encrypted.

I'm sorry. I did that in tty2 and forgot to capture the output, so I removed the module and redid it.

$ sudo semodule -r ecrypt.pp

Reboot. Then:

[root@hpfedora ~]# cd /home/jairot/Descargas/ecrypt
[root@hpfedora ecrypt]# setenforce 0
[root@hpfedora ecrypt]# sh ecrypt.sh jairot
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted ecrypt module
/usr/bin/checkmodule:  loading policy configuration from tmp/ecrypt.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 14) to tmp/ecrypt.mod
Creating targeted ecrypt.pp policy package
rm tmp/ecrypt.mod.fc tmp/ecrypt.mod
+ /usr/sbin/semodule -i ecrypt.pp
+ /sbin/restorecon -R -v /home/jairot
+ /usr/sbin/semanage fcontext -a -e /home /home/.ecryptfs
/usr/sbin/semanage: Equivalence class for /home/.ecryptfs already exists
+ /sbin/restorecon -R -v /home/.ecrypfs/jairot
[root@hpfedora ecrypt]# setsebool -P use_ecryptfs_home_dirs 1


Note: The first time I ran the script, there was a lot of output from the restorecon or semanage part, but the 2nd time none of that was present.

After reboot, bug persists.

You mean AVC msgs from the comment #30, right?

(In reply to comment #35)
> You mean AVC msgs from the comment #30, right?
Yes, I did not know they were the same. I hope this helps then:

$ sudo ausearch --message avc --start 02/04/12 --end 03/04/12 | grep ecrypt
type=SYSCALL msg=audit(1333386927.483:210): arch=c000003e syscall=250 success=yes exit=0 a0=9 a1=67dda03 a2=fffffffc a3=33b9eed599 items=0 ppid=1 pid=3227 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333386927.483:210): avc:  denied  { write } for  pid=3227 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
type=AVC msg=audit(1333389482.234:161): avc:  denied  { search } for  pid=1423 comm="gdm-session-wor" name=".ecryptfs" dev="sda5" ino=2670756 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1333392551.883:133): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=2d5703f0 a2=fffffffc a3=33b9eed599 items=0 ppid=1535 pid=3436 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333392551.883:133): avc:  denied  { write } for  pid=3436 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1333394191.662:179): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=194d4de4 a2=fffffffc a3=33b9eed599 items=0 ppid=1525 pid=2972 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333394191.662:179): avc:  denied  { write } for  pid=2972 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1333402277.149:213): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=139157e2 a2=fffffffc a3=33b9eed599 items=0 ppid=1 pid=8292 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333402277.149:213): avc:  denied  { write } for  pid=8292 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1333459901.778:104): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=3ccf7575 a2=fffffffc a3=33b9eed599 items=0 ppid=1456 pid=3189 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333459901.778:104): avc:  denied  { write } for  pid=3189 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1333474058.747:98): arch=c000003e syscall=250 success=no exit=-13 a0=9 a1=1d5bd887 a2=fffffffc a3=33b9eed599 items=0 ppid=1408 pid=2639 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="umount.ecryptfs" exe="/sbin/mount.ecryptfs_private" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333474058.747:98): avc:  denied  { write } for  pid=2639 comm="umount.ecryptfs" scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key

After a fresh install of F17, it worked out of the box.

(In reply to comment #37)
> After a fresh install of F17, it worked out of the box.

Oops, ignore this. Works when mounting manually, but not on auto-mount.

Sorry to interfere. I just struggled with ecryptfs+SELinux on F16, too.

Here is how I got it working:

cat >pam_ecryptfs.te <<EOF
module pam_ecryptfs 1.2;
# allow login process access to ~/.ecryptfs

require {
        type local_login_t;
        type sshd_t;
        type xdm_t;
        type user_home_t;
        type mount_t;
        type unconfined_t;
        class file  { open getattr read };
        class key { write };
}


#============= local_login_t ==============
allow local_login_t user_home_t:file { open read getattr };
allow sshd_t user_home_t:file { open read getattr };
allow xdm_t user_home_t:file { open read getattr };

#============= mount_t ==============
allow mount_t unconfined_t:key write;
EOF
make -f /usr/share/selinux/devel/Makefile
semodule -i pam_ecryptfs.pp

(In reply to comment #39)
> Here is how I got it working:

... using ,,,

ecryptfs-utils-100-1.fc16.x86_64
selinux-policy-targeted-3.10.0-91.fc16.noarch
kernel-3.4.11-1.fc16.x86_64

It doesn't work out-of-the-box in F17. Actually I see no difference wrt F16.

use_ecryptfs_home_dirs --> on

ecryptfs-utils-100-1.fc17.x86_64
selinux-policy-targeted-3.10.0-153.fc17.noarch
kernel-3.6.1-1.fc17.x86_64

audit2allow suggests:

module ecryptfs_user 1.0;

require {
	type unconfined_t;
	type home_root_t;
	type tmpfs_t;
	type mount_t;
	type sshd_t;
	type local_login_t;
	type xdm_t;
	class file { read getattr open };
	class dir add_name;
	class key write;
}

#============= mount_t ==============
allow mount_t tmpfs_t:dir add_name;
allow mount_t unconfined_t:key write;

#============= sshd_t ==============
allow sshd_t home_root_t:file { read getattr open };
allow local_login_t home_root_t:file { read getattr open };
allow xdm_t home_root_t:file { read getattr open };

This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

As of comment #41, this affects also F17.

This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.