Bug 2048514

Summary: udev can't create /dev/stratis/poolname/fsname links any more: vc: denied { associate } for comm="systemd-udevd" name="stratis"
Product: Red Hat Enterprise Linux 8 Reporter: Martin Pitt <mpitt>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 8.6CC: amulhern, bgurney, dkeefe, lvrabec, mmalik, ssekidde
Target Milestone: rcKeywords: AutoVerified, Regression, Triaged
Target Release: 8.6Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-90.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:15:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2022-01-31 12:17:50 UTC 
Our weekly RHEL 8.6 nightly image refresh for Cockpit [1] regressed on stratis. /usr/lib/udev/rules.d/61-stratisd.rules is supposed to create links like /dev/stratis/poolname/fsname, but this does not work any more:

kernel: audit: type=1400 audit(1643629983.069:4): avc:  denied  { associate } for  pid=3633 comm="systemd-udevd" name="stratis" scontext=system_u:object_r:stratisd_data_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0

Full journal is at [2], in case it's necessary.

Version-Release number of selected component (if applicable):

stratis itself did not change (stratisd-2.4.2-2.el8.x86_64), but several related packages got updated:

device-mapper (8:1.02.181-2.el8 -> 8:1.02.181-3.el8)
kernel (4.18.0-359.el8 -> 4.18.0-360.el8)
lvm2 (8:2.03.14-2.el8 -> 8:2.03.14-3.el8)
selinux-policy (3.14.3-86.el8 -> 3.14.3-89.el8)
systemd-udev (239-55.el8 -> 239-56.el8)


Reproducer:

You need some block device of at least 4 GB, called /dev/sda here.

  stratis pool create TEST1 /dev/sda
  stratis filesystem create TEST1 fsys1

leads to

Jan 31 07:16:52 rhel-8-6-127-0-0-2-2201 stratisd[823]: [2022-01-31T12:16:52Z INFO  libstratis::dbus_api::pool::pool_2_0::methods] The following filesystems name: fsys1, UUID: a2f94519-b95b-4015-a33f-c10e6967d32b were successfully created
Jan 31 07:16:52 rhel-8-6-127-0-0-2-2201 systemd-udevd[3659]: symlink '../../dm-5' '/dev/stratis/TEST1/fsys1.tmp-b253:5' failed: Permission denied
Jan 31 07:16:52 rhel-8-6-127-0-0-2-2201 kernel: audit: type=1400 audit(1643631412.495:4): avc:  denied  { associate } for  pid=3659 comm="systemd-udevd" name="stratis" scontext=system_u:object_r:stratisd_data_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0
Jan 31 07:16:52 rhel-8-6-127-0-0-2-2201 kernel: audit: type=1400 audit(1643631412.495:5): avc:  denied  { associate } for  pid=3659 comm="systemd-udevd" name="stratis" scontext=system_u:object_r:stratisd_data_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0



[1] https://github.com/cockpit-project/bots/pull/2870
[2] https://logs.cockpit-project.org/logs/pull-2870-20220129-022915-bcc0059a-rhel-8-6-cockpit-project-cockpit/TestStorageStratis-testCli-rhel-8-6-127.0.0.2-2501-FAIL.log.gz
Comment 1 Martin Pitt 2022-01-31 12:21:01 UTC 
Adding stratis RHEL maintainer Bryan, FYI.
Comment 2 Zdenek Pytela 2022-01-31 13:03:45 UTC 
It is a result of adding new types for:
https://bugzilla.redhat.com/show_bug.cgi?id=1879585


rhel8# matchpathcon /dev/stratis /dev/stratis/poolname /dev/stratis/poolname/fsname
/dev/stratis    system_u:object_r:stratisd_data_t:s0
/dev/stratis/poolname   system_u:object_r:stratisd_data_t:s0
/dev/stratis/poolname/fsname    system_u:object_r:stratisd_data_t:s0

We seem not to have a test to check any functional scenario.
Comment 3 Milos Malik 2022-01-31 14:22:42 UTC 
When the "service systemd-udevd restart" command is called after creating various stratis pools / filesystems then the following SELinux denials appear:

----
type=PROCTITLE msg=audit(01/31/2022 09:01:47.570:1260) : proctitle=/usr/lib/systemd/systemd-udevd 
type=PATH msg=audit(01/31/2022 09:01:47.570:1260) : item=1 name=/dev/stratis nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2022 09:01:47.570:1260) : item=0 name=/dev/ inode=3 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:device_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2022 09:01:47.570:1260) : cwd=/ 
type=SYSCALL msg=audit(01/31/2022 09:01:47.570:1260) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7ffeb8d0bbb0 a1=0755 a2=0x558e3ab48b00 a3=0x0 items=2 ppid=36450 pid=47819 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-udevd exe=/usr/lib/systemd/systemd-udevd subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/31/2022 09:01:47.570:1260) : avc:  denied  { associate } for  pid=47819 comm=systemd-udevd name=stratis scontext=system_u:object_r:stratisd_data_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0 
----
type=PROCTITLE msg=audit(01/31/2022 09:01:47.570:1261) : proctitle=/usr/lib/systemd/systemd-udevd 
type=PATH msg=audit(01/31/2022 09:01:47.570:1261) : item=1 name=/dev/stratis nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2022 09:01:47.570:1261) : item=0 name=/dev/ inode=3 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:device_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2022 09:01:47.570:1261) : cwd=/ 
type=SYSCALL msg=audit(01/31/2022 09:01:47.570:1261) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7ffeb8d0bba0 a1=0755 a2=0x558e3ab48b00 a3=0x0 items=2 ppid=36450 pid=47819 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-udevd exe=/usr/lib/systemd/systemd-udevd subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/31/2022 09:01:47.570:1261) : avc:  denied  { associate } for  pid=47819 comm=systemd-udevd name=stratis scontext=system_u:object_r:stratisd_data_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0 
----

# rpm -qa selinux\* stratis\* | sort
selinux-policy-3.14.3-89.el8.noarch
selinux-policy-devel-3.14.3-89.el8.noarch
selinux-policy-targeted-3.14.3-89.el8.noarch
stratis-cli-2.4.2-1.el8.noarch
stratisd-2.4.2-2.el8.x86_64
#
Comment 4 Milos Malik 2022-01-31 14:33:44 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/31/2022 09:25:46.835:1715) : proctitle=/usr/lib/systemd/systemd-udevd 
type=PATH msg=audit(01/31/2022 09:25:46.835:1715) : item=1 name=/dev/stratis inode=176905 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:stratisd_data_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2022 09:25:46.835:1715) : item=0 name=/dev/ inode=3 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:device_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2022 09:25:46.835:1715) : cwd=/ 
type=SYSCALL msg=audit(01/31/2022 09:25:46.835:1715) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7ffd711b3330 a1=0755 a2=0x563aaf6bd280 a3=0x0 items=2 ppid=47855 pid=62021 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-udevd exe=/usr/lib/systemd/systemd-udevd subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/31/2022 09:25:46.835:1715) : avc:  denied  { associate } for  pid=62021 comm=systemd-udevd name=stratis scontext=system_u:object_r:stratisd_data_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(01/31/2022 09:25:46.838:1716) : avc:  denied  { read } for  pid=1 comm=systemd name=fsys1 dev="devtmpfs" ino=176907 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=lnk_file permissive=1 
----
Comment 6 Zdenek Pytela 2022-02-02 16:54:55 UTC 
2 more commits to backport:
0824f6764 (HEAD -> rawhide, upstream/rawhide) Associate stratisd_data_t with device filesystem
a27476b30 Allow init read stratis data symlinks
Comment 11 Martin Pitt 2022-02-05 08:53:47 UTC 
For the record, this regression just entered Fedora 35 as well.
Comment 12 Bryan Gurney 2022-02-07 14:05:28 UTC 
I've just confirmed the regression in F35; with these packages:

selinux-policy-35.13-1.fc35.noarch
selinux-policy-targeted-35.13-1.fc35.noarch

...the four tests that start with "test_filesystem_udev_symlink" in the suite at https://github.com/stratis-storage/ci/tree/master/blackbox are now failing, because the "/dev/stratis" symlink cannot be found.
Comment 13 Zdenek Pytela 2022-02-07 17:29:45 UTC 
(In reply to Martin Pitt from comment #11)
> For the record, this regression just entered Fedora 35 as well.

It will be resolved in the next build, it already is fixed in rawhide.
Comment 18 errata-xmlrpc 2022-05-10 15:15:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995