On Sat, 23 Apr 2016 18:51:52 +0200 Milan Broz <gmazyland@xxxxxxxxx> wrote: > On 04/23/2016 03:17 PM, Julien Lepiller wrote: > > On Sat, 23 Apr 2016 10:45:52 +0200 > > Milan Broz <gmazyland@xxxxxxxxx> wrote: > > > >> On 04/22/2016 02:01 PM, Julien Lepiller wrote: > >>> Hello, > >>> > >>> I am trying to use cryptsetup with a disk that has been encrypted > >>> some time ago. I'm using Linux From Scratch, and built cryptsetup > >>> myself. What I see when I run luksOpen is the following (all > >>> commands are run as root) : > >>> > >>> # cryptsetup 1.7.1 processing "cryptsetup --debug > >>> luksOpen /dev/sda1 hdd" > >> ... > >>> # Activating volume hdd [keyslot -1] using [none] passphrase. > >>> # dm version OF [16384] (*1) > >>> # device-mapper: version ioctl on failed: Permission denied > >> > >> This looks like you cannot access something (/dev/mapper/control?) > >> and then it just fails because of this initial failure. > >> > >> Do you have SElinux switched on? > >> > >> What is output of "dmsetup version" - does it work? > >> > >> Milan > > > > Thank you for your answer, the output of the command is: > > > > Library version: 1.02.121 (2016-04-01) > > Driver version: 4.34.0 > > > > Selinux is switched off (I tried to use it, so I have the libraries, > > but it just does not work at all), and their is nothing in > > journald. > > Ok, so device mapper works. > > So if it is not SElinux, something is preventing ioctl to run. > (The error is internal libdevmapper error.) > > Do you compile libgcrypt yourself with POSIX capabilities enabled? > > If so, gcrypt drops privileges for the whole calling process... > see comment in lib/crypto_backend/crypto_gcrypt.c: > > /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities, > * it drops all privileges during secure memory initialisation. > * For now, the only workaround is to disable secure memory in gcrypt. > * cryptsetup always need at least cap_sys_admin privilege for > dm-ioctl > * and it locks its memory space anyway. > */ > #if 0 > > > If it is your case, please do not use capabilities in gcrypt or > try to change define above in cryptsetup source as a workaroung and > recompile it. > > Thanks, > Milan I rebuilt libgcrypt without posix capabilities, and it now works. Thank you so much for your help! _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
