Bug 1489862

Summary: There is FW Raid set, but there is no /dev/md* device
Product: [Fedora] Fedora Reporter: Petr Schindler <pschindl>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: awilliam, dwalsh, harald, jsynacek, kay, kparal, lnykryn, lpoetter, lsm5, lvrabec, mgrepl, mschmidt, msekleta, plautrba, pmoore, robatino, ssahani, s, systemd-maint, vtrefny, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: RejectedBlocker AcceptedFreezeException
Fixed In Version: selinux-policy-3.13.1-281.fc27 selinux-policy-3.13.1-283.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-16 05:55:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396703    
Attachments:
Description Flags
Output of journalctl -a none

Description Petr Schindler 2017-09-08 13:59:17 UTC 
Created attachment 1323750 [details]
Output of journalctl -a

Description of problem:
I tried to install system from livecd workstation [0]. There was no disk listed in anaconda. I and Vojta Trefny tried to find out what is wrong. And we found that /dev/sd{a,b,c} have flags that they are part of raid, but the RAID device doesn't exist. When I try Fedora 26 it works correctly (there is devices md126 and 127 and those are shown in anaconda).

[0] https://kojipkgs.fedoraproject.org/compose/branched/Fedora-27-20170907.n.0/compose/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-27-20170907.n.0.iso



Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. crete fw raid (I used RAID 5)
2. boot to system
3.

Actual results:
raid device isn't in /dev/, but there are flags on the disks

Expected results:


Additional info:
I propose this as beta blocker as it violates the beta criterion: "The installer must be able to detect and install to hardware or firmware RAID storage devices. "
Comment 1 Petr Schindler 2017-09-08 14:01:52 UTC 
Vojto could you add some information about what did you see and try?
Comment 2 Michal Schmidt 2017-09-08 14:05:41 UTC 
The attached journalctl output shows mdadm is hitting SELinux denials:

Sep 08 15:54:17 localhost audit[895]: AVC avc:  denied  { map } for  pid=895 comm="mdadm" path="/dev/mem" dev="devtmpfs" ino=2067 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0
Sep 08 15:54:17 localhost audit[895]: SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=30000 a2=1 a3=2 items=0 ppid=864 pid=895 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdadm" exe="/usr/sbin/mdadm" subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null)
[...]
Comment 3 Adam Williamson 2017-09-08 15:44:21 UTC 
Petr, can you confirm whether or not it works if you boot the live image in permissive mode, or try an installer image? (FWIW I usually test FW raid from an installer image rather than live).
Comment 4 Fedora Update System 2017-09-11 14:14:51 UTC 
selinux-policy-3.13.1-281.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f
Comment 5 Kamil Páral 2017-09-11 17:34:01 UTC 
Discussed during blocker review [1]:

AcceptedFreezeException (Beta), punt (delay decision) on blocker status - it's not 100% clear yet if the SELinux denials are the only problem here, so we will delay the blocker vote until we have confirmation on that. however, we think it at least makes sense to grant the SELinux fixes a freeze exception immediately

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-11/
Comment 6 Fedora Update System 2017-09-11 21:56:19 UTC 
selinux-policy-3.13.1-281.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f
Comment 7 Fedora Update System 2017-09-12 13:02:11 UTC 
selinux-policy-3.13.1-283.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f
Comment 8 Kamil Páral 2017-09-12 13:04:43 UTC 
(In reply to Adam Williamson from comment #3)
> Petr, can you confirm whether or not it works if you boot the live image in
> permissive mode, or try an installer image? (FWIW I usually test FW raid
> from an installer image rather than live).

I can confirm enforcing=0 fixes this problem with Live. I can't say update from comment 6 fixes this, I can verify once a new Live with it included it created. But the problem was definitely in selinux.
Comment 9 Fedora Update System 2017-09-12 19:56:01 UTC 
selinux-policy-3.13.1-283.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f
Comment 10 Dennis Gilmore 2017-09-14 17:24:30 UTC 
+1 Beta Blocker
Comment 11 Adam Williamson 2017-09-15 02:15:56 UTC 
Discussed at 2017-09-14 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-meeting-2/2017-09-14/f27-beta-go-no-go-meeting.2017-09-14-17.00.html . Rejected as a blocker but accepted as a freeze exception, on the basis this seems to be strictly an SELinux issue, so it ought to work fine on the regular installer images (which run in permissive mode the whole time) and is easy to work around on lives (by booting with enforcing=0).
Comment 12 Fedora Update System 2017-09-16 05:55:09 UTC 
selinux-policy-3.13.1-283.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.