Bug 1375156
Summary: | SELinux cripples storaged | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marius Vollmer <mvollmer> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | bugzilla, dominick.grift, dwalsh, kparal, lvrabec, mgrepl, pavel.raur.pr, phatina, plautrba, pschindl, puiterwijk, robatino, stefw, tsmetana |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedBlocker | ||
Fixed In Version: | selinux-policy-3.13.1-219.fc25 selinux-policy-3.13.1-191.19.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-10-22 07:54:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1277289 |
Description
Marius Vollmer
2016-09-12 10:25:10 UTC
We have replaced udisks2 with storaged and I suspect the udisks2 policy needs to be ported/copied for storaged. However it can't be fixed in the storaged package. The Cockpit integration tests are tracking this issue. Occurances will be listed here: https://github.com/cockpit-project/cockpit/issues/5041 *** Bug 1374334 has been marked as a duplicate of this bug. *** > Duplicate of this bug: 1374334
Interesting. GNOME Disks seems to be able to talk to storaged, no? That doesn't match with the symptoms of this bug here, where storaged can't start at all.
Fix: https://github.com/fedora-selinux/selinux-policy/commit/f03db1257b911bc97dddb88b488a9b0df2b40848 (In reply to Marius Vollmer from comment #4) > > Duplicate of this bug: 1374334 > > Interesting. GNOME Disks seems to be able to talk to storaged, no? That > doesn't match with the symptoms of this bug here, where storaged can't start > at all. I didn't relalize it. However in both the cases it's the same SELinux policy. And it's more likely the standard GNOME installation doesn't include all the storaged modules, etc... Let's see whether Lukas would be able to fix it in one shot (fingers crossed). selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c Lukas, I see this during update. Is that expected? Upgrading : selinux-policy-targeted-3.13.1-214.fc25.noarch 32/112 Re-declaration of type udisks2_t Failed to create node Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/udisks2/cil:1 /usr/sbin/semodule: Failed! I saw the same error. But selinux seems to be fixed. udisksd seems to start fine with selinux-policy-3.13.1-214.fc25 Discussed at 2016-09-19 blocker review meeting: [1]. This bug was accepted as Final blocker: This bug violates the final criterion: "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present. [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2016-09-19/ selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. This has improved, but it's not completely fixed yet. Starting udisks2 takes a long time, and actually causes udisksctl to timeout when it is autoactivating it: # systemctl stop udisks2.service # udisksctl status Error connecting to the udisks daemon: Error calling StartServiceByName for org.freedesktop.UDisks2: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.UDisks2': timed out # udisksctl status MODEL REVISION SERIAL DEVICE -------------------------------------------------------------------------- VirtIO Disk vda QEMU DVD-ROM 2.5+ QM00001 sr0 The following audit messages can be found: # grep denied /var/log/audit/audit.log type=AVC msg=audit(1474441751.195:245): avc: denied { write } for pid=2158 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1474441753.192:246): avc: denied { write } for pid=2159 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1474443029.558:316): avc: denied { write } for pid=2651 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0 type=USER_AVC msg=audit(1475752074.195:232): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.33 spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752099.307:234): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752099.307:235): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752220.931:236): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752220.933:237): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752221.104:240): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.35 spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752246.192:242): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752246.192:243): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752499.181:178): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.075:192): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.075:193): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.079:194): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.079:195): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.079:196): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752564.227:211): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.21 spid=678 tpid=1202 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475753927.558:220): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.24 spid=678 tpid=1278 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' (Does anyone take bets how many iteration we will need? :-) Cockpit issue was fixed and will be in next rawhide build, other issues are fixed already. *** Bug 1382532 has been marked as a duplicate of this bug. *** > other issues are fixed already.
Where?
This is fixed with selinux-policy-3.13.1-218.fc25, at least with cockpit on Fedora Server. selinux-policy-3.13.1-219.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-552be55062 (In reply to Lukas Vrabec from comment #19) > Here > https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b70b59f26 Thank you for the information! selinux-policy-3.13.1-218.fc25 fixes the issues for us: https://fedorapeople.org/groups/cockpit/logs/pull-5153-6366ec64-verify-fedora-25/log.html (The remaining failure is something else.) Thanks! selinux-policy-3.13.1-219.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e035472778 selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |