Bug 1794645

Summary:

stratisd does not work under selinux-policy

Product:

[Fedora] Fedora

Reporter:

aannoaanno

Component:

selinux-policy

Assignee:

Zdenek Pytela <zpytela>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

medium

Docs Contact:

Priority:

high

Version:

CC:

dwalsh, grepl.miroslav, lvrabec, plautrba, vmojzis, zpytela

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

selinux-policy-3.14.4-45.fc31

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2020-02-01 01:30:44 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1767743

Attachments:

Description	Flags
/var/log/messages	none

Description aannoaanno 2020-01-24 08:29:11 UTC

Description of problem:
stratisd does not work under selinux-policy

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-44.fc31.noarch

How reproducible:
always

Steps to Reproduce:
See https://github.com/stratis-storage/stratisd/issues/1684 how to reproduce the problem

Actual results:
With selinux enabled, stratisd is unable to mount stratisd managed disks while booting. Hence was forced to switch to 'permissive mode' to get my system usable again _3 months ago_.

Expected results:
With selinux enforced, stratisd is able to mount stratisd managed disks while booting.

Additional info:
Also see https://bugzilla.redhat.com/show_bug.cgi?id=1767743 and related bugs

Comment 1 aannoaanno 2020-01-24 08:33:28 UTC

Currently I find the following selinux policy constraints violated in /var/log/messages:

Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { write } for  pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { remove_name } for  pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { unlink } for  pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1
Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { rmdir } for  pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

...

Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc:  denied  { execute } for  pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc:  denied  { execute_no_trans } for  pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc:  denied  { execute } for  pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc:  denied  { execute_no_trans } for  pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc:  denied  { map } for  pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc:  denied  { map } for  pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg.
Jan 24 09:12:47 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 24 09:12:47 blacksnapper kernel: audit: type=1130 audit(1579853567.954:66): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { write } for  pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { add_name } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc:  denied  { write } for  pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc:  denied  { add_name } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc:  denied  { create } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { create } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { mounton } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc:  denied  { mounton } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount
Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff)
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc:  denied  { mount } for  pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { mount } for  pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { search } for  pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { read } for  pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { open } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { getattr } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { unmount } for  pid=2003 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { remove_name } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { rmdir } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount
Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff)
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { search } for  pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { read } for  pid=2003 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { open } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { create } for  pid=2003 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1

Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/17155095-e225-4fb0-b020-ec2ffa6a5e4d.
Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/fb19a29e-ab39-4b41-8d37-0dc6d222a2b9.
Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Jan 24 09:12:49 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available

Comment 2 aannoaanno 2020-01-24 08:38:53 UTC

Created attachment 1654974 [details]
/var/log/messages

Comment 3 Lukas Vrabec 2020-01-24 11:56:28 UTC

This issue should be fixed with next selinux-policy build.

Comment 4 Fedora Update System 2020-01-31 01:28:40 UTC

selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17

Comment 5 Fedora Update System 2020-02-01 01:30:44 UTC

selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 aannoaanno 2020-02-01 09:47:03 UTC

I was just able to verify that https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17 (selinux-policy-3.14.4-45.fc31) fixes the problem. Thank you for support!

Comment 7 aannoaanno 2020-02-14 15:12:42 UTC

*** Bug 1767743 has been marked as a duplicate of this bug. ***