QA/TestCases/LUKS Using Selinux (disabled): Difference between revisions

Description

Support the use of encrypted filesystems for anything other than /boot using cryptsetup and LUKS. This includes install time creation/configuration, as well as integrated support in mkinitrd and initscripts (others?). Currently we are only pursuing support for encrypted devices using cryptsetup/LUKS.

When using encrypted file systems/block devices, the selinux functionality should continue to work as expected, and not create situations where the encryption leads to undesired selinux errors; in particular, a successful installation using any of the operating selinux modes "enforcing", "permissive" and "disabled" should be successful.

References:

1. Anaconda/Features/EncryptedBlockDevices
2. Releases/FeatureEncryptedFilesystems

Steps To Reproduce

• Boot anaconda
• Proceed to the partitioning dialog
• Select the checkbox item "Encrypt system"
• Enable the "disabled" selinux setting
• Enter and confirm the passphrase in a pop up dialog for the encrypted filesystem
• choose default partitioning layout and continue to the disk druid partition screen
• continue with installation

"Remove linux partitions on selected drives and create default layout"

Expected Results

• Confirmed "Encrypt system" item is checked
• Verify installation completes successfully
• Upon reboot, the user is asked for the LUKS passphrase at the console
• Verify entry in /etc/crypttab is present for LUKS device
• Verify selinux is in disabled in post-install system
• post-install system boots completely and is usable, and does not have selinux errors that would significantly hamper system operation

/etc/crypttab may look something like:

luks-sda2    /dev/sda2    none