The cryptsetup command is currently "hosted" through the lvm_t domain. When calling cryptsetup, the following error occurs: ~# cryptsetup luksFormat -s 512 /dev/vdb2 /etc/keys/test.key ... device-mapper: remove ioctl on temporary-cryptsetup-1228 failed: Device or resource busy The AVC: time->Thu Nov 27 20:46:41 2014 type=UNKNOWN[1327] msg=audit(1417121201.520:71): proctitle=637279707473657475700062656E63686D61726B type=SYSCALL msg=audit(1417121201.520:71): arch=c000003e syscall=41 success=no exit=-13 a0=26 a1=5 a2=0 a3=22 items=0 ppid=1144 pid=1210 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cryptsetup" exe="/sbin/cryptsetup" subj=root:sysadm_r:lvm_t:s0 key=(null) type=AVC msg=audit(1417121201.520:71): avc: denied { create } for pid=1210 comm="cryptsetup" scontext=root:sysadm_r:lvm_t:s0 tcontext=root:sysadm_r:lvm_t:s0 tclass=socket permissive=0 Second attempt gave the following error: Failed to setup dm-crypt key mapping for device /dev/vdb2. Check that kernel supports aes-xts-plain64 cipher (check syslog for more info). AVC: time->Thu Nov 27 20:51:52 2014 type=UNKNOWN[1327] msg=audit(1417121512.685:86): proctitle=63727970747365747570006C756B73466F726D6174002D7300353132002F6465762F76646232002F6574632F6B6579732F746573742E6B6579 type=SYSCALL msg=audit(1417121512.685:86): arch=c000003e syscall=43 success=no exit=-13 a0=5 a1=0 a2=0 a3=6e69616c702d7374 items=0 ppid=1144 pid=18376 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cryptsetup" exe="/sbin/cryptsetup" subj=root:sysadm_r:lvm_t:s0 key=(null) type=AVC msg=audit(1417121512.685:86): avc: denied { accept } for pid=18376 comm="cryptsetup" scontext=root:sysadm_r:lvm_t:s0 tcontext=root:sysadm_r:lvm_t:s0 tclass=socket permissive=0 With the following policy addition, I was able to use cryptsetup further (luksFormat, luksOpen, etc.) allow lvm_t self:socket create_stream_socket_perms; Reproducible: Always
Has been in policy since November 27, so is part of the r1 release
r1 is now stable