Bug 1489862
Summary: | There is FW Raid set, but there is no /dev/md* device | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Schindler <pschindl> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 27 | CC: | awilliam, dwalsh, harald, jsynacek, kay, kparal, lnykryn, lpoetter, lsm5, lvrabec, mgrepl, mschmidt, msekleta, plautrba, pmoore, robatino, ssahani, s, systemd-maint, vtrefny, zbyszek | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | RejectedBlocker AcceptedFreezeException | ||||||
Fixed In Version: | selinux-policy-3.13.1-281.fc27 selinux-policy-3.13.1-283.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-09-16 05:55:09 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1396703 | ||||||
Attachments: |
|
Description
Petr Schindler
2017-09-08 13:59:17 UTC
Vojto could you add some information about what did you see and try? The attached journalctl output shows mdadm is hitting SELinux denials: Sep 08 15:54:17 localhost audit[895]: AVC avc: denied { map } for pid=895 comm="mdadm" path="/dev/mem" dev="devtmpfs" ino=2067 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0 Sep 08 15:54:17 localhost audit[895]: SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=30000 a2=1 a3=2 items=0 ppid=864 pid=895 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdadm" exe="/usr/sbin/mdadm" subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) [...] Petr, can you confirm whether or not it works if you boot the live image in permissive mode, or try an installer image? (FWIW I usually test FW raid from an installer image rather than live). selinux-policy-3.13.1-281.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f Discussed during blocker review [1]: AcceptedFreezeException (Beta), punt (delay decision) on blocker status - it's not 100% clear yet if the SELinux denials are the only problem here, so we will delay the blocker vote until we have confirmation on that. however, we think it at least makes sense to grant the SELinux fixes a freeze exception immediately [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-11/ selinux-policy-3.13.1-281.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f selinux-policy-3.13.1-283.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f (In reply to Adam Williamson from comment #3) > Petr, can you confirm whether or not it works if you boot the live image in > permissive mode, or try an installer image? (FWIW I usually test FW raid > from an installer image rather than live). I can confirm enforcing=0 fixes this problem with Live. I can't say update from comment 6 fixes this, I can verify once a new Live with it included it created. But the problem was definitely in selinux. selinux-policy-3.13.1-283.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f +1 Beta Blocker Discussed at 2017-09-14 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-meeting-2/2017-09-14/f27-beta-go-no-go-meeting.2017-09-14-17.00.html . Rejected as a blocker but accepted as a freeze exception, on the basis this seems to be strictly an SELinux issue, so it ought to work fine on the regular installer images (which run in permissive mode the whole time) and is easy to work around on lives (by booting with enforcing=0). selinux-policy-3.13.1-283.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |