Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530918 - SELinux - cryptsetup luksFormat policy requirements
Summary: SELinux - cryptsetup luksFormat policy requirements
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r1
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-27 20:59 UTC by Sven Vermeulen (RETIRED)
Modified: 2014-12-21 14:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2014-11-27 20:59:40 UTC 
The cryptsetup command is currently "hosted" through the lvm_t domain.

When calling cryptsetup, the following error occurs:

~# cryptsetup luksFormat -s 512 /dev/vdb2 /etc/keys/test.key
...
device-mapper: remove ioctl on temporary-cryptsetup-1228 failed: Device or resource busy

The AVC:

time->Thu Nov 27 20:46:41 2014
type=UNKNOWN[1327] msg=audit(1417121201.520:71): proctitle=637279707473657475700062656E63686D61726B
type=SYSCALL msg=audit(1417121201.520:71): arch=c000003e syscall=41 success=no exit=-13 a0=26 a1=5 a2=0 a3=22 items=0 ppid=1144 pid=1210 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cryptsetup" exe="/sbin/cryptsetup" subj=root:sysadm_r:lvm_t:s0 key=(null)
type=AVC msg=audit(1417121201.520:71): avc:  denied  { create } for  pid=1210 comm="cryptsetup" scontext=root:sysadm_r:lvm_t:s0 tcontext=root:sysadm_r:lvm_t:s0 tclass=socket permissive=0

Second attempt gave the following error:

Failed to setup dm-crypt key mapping for device /dev/vdb2.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).

AVC:

time->Thu Nov 27 20:51:52 2014
type=UNKNOWN[1327] msg=audit(1417121512.685:86): proctitle=63727970747365747570006C756B73466F726D6174002D7300353132002F6465762F76646232002F6574632F6B6579732F746573742E6B6579
type=SYSCALL msg=audit(1417121512.685:86): arch=c000003e syscall=43 success=no exit=-13 a0=5 a1=0 a2=0 a3=6e69616c702d7374 items=0 ppid=1144 pid=18376 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cryptsetup" exe="/sbin/cryptsetup" subj=root:sysadm_r:lvm_t:s0 key=(null)
type=AVC msg=audit(1417121512.685:86): avc:  denied  { accept } for  pid=18376 comm="cryptsetup" scontext=root:sysadm_r:lvm_t:s0 tcontext=root:sysadm_r:lvm_t:s0 tclass=socket permissive=0

With the following policy addition, I was able to use cryptsetup further (luksFormat, luksOpen, etc.)

allow lvm_t self:socket create_stream_socket_perms;

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-15 18:57:24 UTC 
Has been in policy since November 27, so is part of the r1 release
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-21 14:13:37 UTC 
r1 is now stable