Bug 1314968
Summary: | SELinux is preventing systemd-gpt-aut from 'ioctl' accesses on the blk_file /dev/nvme0n1. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | redhat |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 24 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, stefw |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:26ac4e398d1e924115f9622b0e7524bc61ca92e859a89d7594af716dbb2844ec;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-179.fc24 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-23 16:55:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
redhat
2016-03-05 10:37:57 UTC
We need to create new policy for systemd-gpt-auto-generator with proper rules. commit 757f5a832e1b8dac93120116c7b442c44cd5e995 Author: Lukas Vrabec <lvrabec> Date: Mon Mar 7 10:39:45 2016 +0100 Add support for systemd-gpt-auto-generator. rhbz#1314968 commit 057a426fad84ace79c93824c8c10adb38e5ee7ca Author: Lukas Vrabec <lvrabec> Date: Tue Mar 8 14:45:36 2016 +0100 Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015 selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015 The update above does not fix the issue. The Cockpit integration tests continue to fail with tons of AVC's about this. # rpm -q selinux-policy selinux-policy-3.13.1-178.fc24.noarch Unexpected journal message 'audit: type=1400 audit(1457971955.393:278): avc: denied { read } for pid=1591 comm="systemd-gpt-aut" name="vda" dev="devtmpfs" ino=10430 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1' Unexpected journal message 'audit: type=1400 audit(1457971955.393:278): avc: denied { open } for pid=1591 comm="systemd-gpt-aut" path="/dev/vda" dev="devtmpfs" ino=10430 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1' Unexpected journal message 'audit: type=1400 audit(1457971955.483:279): avc: denied { getattr } for pid=1591 comm="systemd-gpt-aut" path="/dev/vda" dev="devtmpfs" ino=10430 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1' Unexpected journal message 'audit: type=1400 audit(1457971955.509:280): avc: denied { ioctl } for pid=1591 comm="systemd-gpt-aut" path="/dev/vda" dev="devtmpfs" ino=10430 ioctlcmd=1272 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1' commit 96e21eca9068aa7d6a902a5a5a86d75ee6df0aea Author: Lukas Vrabec <lvrabec> Date: Tue Mar 15 10:49:28 2016 +0100 Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968 selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969 selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969 selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |