Bug 1755396
Summary: | SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the blk_file /dev/sdb1. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | msmafra |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 31 | CC: | aannoaanno, amulhern, dwalsh, extras-qa, jonathanrioux, lvrabec, mgrepl, plautrba, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:2c6260d596ff231237ecd68c7f15d0305906d519c983b8e910be8749bbef8377;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.4-40.fc31.noarch selinux-policy-3.14.4-43.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-12-11 02:05:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
msmafra
2019-09-25 12:18:36 UTC
commit 92748761feb61250510219298f50cd5d5c1d413d (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Nikola Knazekova <nknazeko> Date: Wed Oct 2 11:12:33 2019 +0200 Allow stratisd to getattr of fixed disk device nodes Allow stratisd, a daemon that manages a pool of block devices to create flexible filesystems, to get the attributes of fixed disk device nodes. Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1755396 FEDORA-2019-64732fd6a5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5 selinux-policy-3.14.4-36.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5 *** Bug 1767773 has been marked as a duplicate of this bug. *** Well I report the 'duplicate' #1767773. On my system the problem is still there with selinux-policy-3.14.4-39.fc31.noarch . Proposed testing package is selinux-policy-3.14.4-36.fc31 and marked as obsolete. Hence, I state the problem is NOT fixed and would like to REOPEN this bug... Hi aannoaanno, Issue is fixed in: # rpm -q selinux-policy selinux-policy-3.14.4-40.fc31.noarch # sesearch -A -s stratisd_t -t fixed_disk_device_t -c blk_file allow stratisd_t fixed_disk_device_t:blk_file getattr; You can install it via: # sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-aec8f7ab50 and add karma here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 Thanks, Lukas Dear Lukas, * https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 does *NOT* mention this bug * https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 does *NOT* mention the duplicate bug * nethertheless, I tried, but it does *NOT* fix this issue Hence, I state the problem is NOT fixed and would like to REOPEN this bug... I found the following in dmesg with selinux-policy-3.14.4-40.fc31.noarch: [ 13.964073] audit: type=1400 audit(1573198423.176:78): avc: denied { read } for pid=842 comm="stratisd" name="dm-6" dev="devtmpfs" ino=23984 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 [ 13.983380] audit: type=1400 audit(1573198423.196:79): avc: denied { read } for pid=842 comm="stratisd" name="dm-7" dev="devtmpfs" ino=23987 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 [ 13.985013] audit: type=1400 audit(1573198423.196:80): avc: denied { getattr } for pid=842 comm="stratisd" path="/dev/nvme0n1p7" dev="devtmpfs" ino=23716 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0 [ 13.991528] audit: type=1130 audit(1573198423.204:81): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dssd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 13.992231] audit: type=1400 audit(1573198423.204:82): avc: denied { read } for pid=842 comm="stratisd" name="dm-7" dev="devtmpfs" ino=23987 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 [ 14.057108] audit: type=1130 audit(1573198423.269:83): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 14.060405] audit: type=1400 audit(1573198423.271:84): avc: denied { read } for pid=842 comm="stratisd" name="dm-6" dev="devtmpfs" ino=23984 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 Just as a reminder: drckeefe has managed to reproduce the problem: https://github.com/stratis-storage/stratisd/issues/1684 Hi, Thank you for the SELinux denials, however there are different than SELinux denial from bug description. I added all the fixes. commit 42440b950d4cc6b6b8d547d3c3d11533e5e761fa (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Fri Nov 8 16:55:22 2019 +0100 Allow stratisd_t domain to read nvme and fixed disk devices Resolves: rhbz#1770134 Thanks, Lukas I had the same problem, updated to selinux-policy-nightly Now stratisd will start, but will not be able to create a pool. Other permission issues seems to persist. See : https://github.com/stratis-storage/stratisd/issues/1684#issuecomment-554164413 Thanks FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e Well, the system suffered from a power unit hardware problem. Sorry for the delayed answer. Package selinux-policy-3.14.4-42.fc31 works better - but the problem is _not_ gone with it. I now find the following in dmesg: [ 23.565628] audit: type=1130 audit(1574968794.744:64): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd- cryptsetup@luks\x2dstratis\x2dssd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 23.574364] device-mapper: table: 253:11: cache: unknown target type [ 23.574396] audit: type=1400 audit(1574968794.753:65): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.575494] device-mapper: ioctl: error adding target to table [ 23.632232] device-mapper: table: 253:11: cache: unknown target type [ 23.632265] audit: type=1400 audit(1574968794.811:66): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.633468] device-mapper: ioctl: error adding target to table [ 23.637369] audit: type=1130 audit(1574968794.816:67): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 23.676220] device-mapper: table: 253:11: cache: unknown target type [ 23.676252] audit: type=1400 audit(1574968794.855:68): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.677704] device-mapper: ioctl: error adding target to table With the selinux warning browser, I see the following problems with selinux-policy-3.14.4-42.fc31: * SELinux is preventing mount from 'read' accesses on the blk_file loop1. Raw Audit Messages type=AVC msg=audit(1557599764.3:347): avc: denied { read } for pid=5364 comm="mount" name="loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing mount from 'open' accesses on the blk_file /dev/loop1. Raw Audit Messages type=AVC msg=audit(1557599764.3:348): avc: denied { open } for pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing mount from 'ioctl' accesses on the blk_file /dev/loop1. type=AVC msg=audit(1557599764.3:349): avc: denied { ioctl } for pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 ioctlcmd=0x4c05 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing mount from read, write access on the chr_file loop-control. type=AVC msg=audit(1557599764.3:350): avc: denied { read write } for pid=5364 comm="mount" name="loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1 * SELinux is preventing mount from 'open' accesses on the chr_file /dev/loop-control. type=AVC msg=audit(1557599764.3:351): avc: denied { open } for pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1 * SELinux is preventing mount from 'ioctl' accesses on the chr_file /dev/loop-control. type=AVC msg=audit(1557599764.3:352): avc: denied { ioctl } for pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 ioctlcmd=0x4c82 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1 * SELinux is preventing mount from 'write' accesses on the blk_file loop2. type=AVC msg=audit(1557599764.4:353): avc: denied { write } for pid=5364 comm="mount" name="loop2" dev="devtmpfs" ino=67850 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing systemd from 'create' accesses on the Verzeichnis recordings. type=AVC msg=audit(1567538795.411:845): avc: denied { create } for pid=1 comm="systemd" name="recordings" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 * SELinux is preventing cp from using the 'setfscreate' accesses on a process. type=AVC msg=audit(1569263071.507:365): avc: denied { setfscreate } for pid=8657 comm="cp" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=process permissive=1 * Process stratisd tried to access system with module_request. * SELinux is preventing stratisd from 'execute' accesses on the Datei /usr/sbin/pdata_tools. type=AVC msg=audit(1572608333.230:776): avc: denied { execute } for pid=16969 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 * SELinux is preventing stratisd from 'execute_no_trans' accesses on the Datei /usr/sbin/pdata_tools. type=AVC msg=audit(1572608333.230:777): avc: denied { execute_no_trans } for pid=16969 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 * Process thin_check tried to access /usr/sbin/pdata_tools with map. * Process stratisd tried to write to directory /stratis * Process stratisd tried to access directory .mdv-093c... with add_name. * Process stratisd tried to access directory .mdv-093c... with create. type=AVC msg=audit(1572695079.107:482): avc: denied { create } for pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 * Process stratisd tried to access directory .mdv-093c... with mounton. * Process stratisd tried to access filesystem /. type=AVC msg=audit(1572695079.135:484): avc: denied { mount } for pid=6651 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 * Process stratisd tried to access directory 'filesystems' with read. type=AVC msg=audit(1572695079.136:486): avc: denied { read } for pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 * Process stratisd tried to access directory 'filesystems' with open. * Process stratisd tried to access directory 'filesystems' with getattr. * Process stratisd tried to access filesystem with unmount. type=AVC msg=audit(1572695079.136:489): avc: denied { unmount } for pid=6651 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 * Process stratisd tried to access directory .mdv-093c... with remove_name. * Process stratisd tried to access directory .mdv-093c... with rmdir. type=AVC msg=audit(1572695079.220:491): avc: denied { rmdir } for pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=134343861 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 * Process stratisd tried to access directory 'filesystems' with search. type=AVC msg=audit(1572695079.247:492): avc: denied { search } for pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 * Process stratisd tried to access file 1715509...4d.json with read. type=AVC msg=audit(1572695079.247:493): avc: denied { read } for pid=6651 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 * Process stratisd tried to access file 1715509...4d.json with open. * Process stratisd tried to access /mnt/opt with getattr. type=AVC msg=audit(1572695079.338:495): avc: denied { getattr } for pid=6651 comm="stratisd" name="/" dev="dm-17" ino=2048 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 * Process stratisd tried to access lnk_file /stratis/stratis_hdd/opt with unlink. type=AVC msg=audit(1572695079.339:496): avc: denied { unlink } for pid=6651 comm="stratisd" name="opt" dev="dm-4" ino=146941056 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 * Process stratisd tried to access lnk_file /opt with create. type=AVC msg=audit(1572695079.339:497): avc: denied { create } for pid=6651 comm="stratisd" name="opt" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 * Process systemd tried to access capability2 with mac_admin. type=AVC msg=audit(1575127332.448:120): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1 * Process mandb tried to access directory /var/lib/snapd with search. type=AVC msg=audit(1575127443.105:355): avc: denied { search } for pid=5298 comm="mandb" name="snapd" dev="dm-4" ino=134536464 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:snappy_var_lib_t:s0" Well, I'm reporter of the 'duplicate' bug https://bugzilla.redhat.com/show_bug.cgi?id=1767773 that I opened on 2019-11-01 11:51:45 UTC. My problem is _still_ _not_ _solved_ in Fedora 31, but I can't see any progress here. Hence this is my question: Is there still the intend to solve this problem in Fedora 31? Can I provide additional information on the subject? FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e selinux-policy-3.14.4-43.fc31 does not resolve this issue container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. The problem is still there with selinux-policy-3.14.4-43.fc31, and would like to reopen the bug as I found as I still see the following in /var/log/messages: Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { module_request } for pid=836 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r: stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper kernel: device-mapper: cache: Origin device (dm-8) discard unsupported: Disabling discard passdown. Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg. Dec 19 18:10:27 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cry ptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc: denied { execute } for pid=1419 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scon text=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc: denied { execute_no_trans } for pid=1419 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc: denied { map } for pid=1419 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329 307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { write } for pid=836 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u :system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { add_name } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scon text=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { create } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" sconte xt=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { mounton } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa 58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Ending clean mount Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { mount } for pid=836 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { search } for pid=836 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { read } for pid=836 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { open } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { getattr } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { unmount } for pid=836 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Dec 19 18:10:27 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { remove_name } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { rmdir } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Ending clean mount Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { search } for pid=836 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { read } for pid=836 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { open } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Dec 19 18:10:27 blacksnapper stratisd[836]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 13 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { create } for pid=836 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Dec 19 18:10:27 blacksnapper kernel: kauditd_printk_skb: 67 callbacks suppressed Dec 19 18:10:27 blacksnapper kernel: audit: type=1400 audit(1576775427.680:76): avc: denied { create } for pid=836 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Dec 19 18:10:27 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/17155095-e225-4fb0-b020-ec2ffa6a5e4d. I also voted against the 'fix' at https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e . |