Bug 1794645
Summary: | stratisd does not work under selinux-policy | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | aannoaanno | ||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 31 | CC: | dwalsh, grepl.miroslav, lvrabec, plautrba, vmojzis, zpytela | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.14.4-45.fc31 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-02-01 01:30:44 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1767743 | ||||||
Attachments: |
|
Description
aannoaanno
2020-01-24 08:29:11 UTC
Currently I find the following selinux policy constraints violated in /var/log/messages: Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { write } for pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { remove_name } for pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { unlink } for pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { rmdir } for pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 ... Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc: denied { execute } for pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc: denied { execute_no_trans } for pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc: denied { execute } for pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc: denied { execute_no_trans } for pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc: denied { map } for pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc: denied { map } for pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg. Jan 24 09:12:47 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 24 09:12:47 blacksnapper kernel: audit: type=1130 audit(1579853567.954:66): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { write } for pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { add_name } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc: denied { write } for pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc: denied { add_name } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc: denied { create } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { create } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { mounton } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc: denied { mounton } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff) Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc: denied { mount } for pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { mount } for pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { search } for pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { read } for pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { open } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { getattr } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { unmount } for pid=2003 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { remove_name } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { rmdir } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff) Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { search } for pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { read } for pid=2003 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { open } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { create } for pid=2003 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/17155095-e225-4fb0-b020-ec2ffa6a5e4d. Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/fb19a29e-ab39-4b41-8d37-0dc6d222a2b9. Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available Jan 24 09:12:49 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available Created attachment 1654974 [details]
/var/log/messages
This issue should be fixed with next selinux-policy build. selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17 selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. I was just able to verify that https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17 (selinux-policy-3.14.4-45.fc31) fixes the problem. Thank you for support! *** Bug 1767743 has been marked as a duplicate of this bug. *** |